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Abstract 



We investigate a subclass of well-structured transition systems (WSTS), 
the bounded — in the sense of Ginsburg and Spanier (Trans. AMS 1964[ ) — 
complete deterministic ones, which we claim provide an adequate basis 
for the study of forward analyses as developed by |Finkel and G oubault- 
Larrecq (ICALP 2009b I. Indeed, we prove that, unlike other conditions 
considered previously for the termination of forward analysis, bounded- 
ness is decidable. Boundedness turns out to be a valuable restriction for 
WSTS verification, as we show that it further allows to decide all o;-regular 
properties on the set of infinite traces of the system. 



1 Introduction 



General Context Forward analysis using acceleration ( Boigelot and Wolper 



1994 Bardin et al. 2005) is established as one of the most efficient practical 



means, albeit in general without termination guarantee, to tackle safety prob- 



lems in infinite state systems, e.g. in the tools TReX (Annichini et al. 2001), 



LASH ( http : // www . mont ef iore . ulg . ac . be/ -boigelot/resear ch/lash/ ) , or 
Fast (IBardin et al. 2008 ). Even in the context of well-structured transition sys- 



tems (WSTS) , a unifying framework for infinite systems endowed with a generic 



backward coverability algorithm due to Abdulla et al. ( 2000 1, forward algorithms 



are commonly felt to be more efficient than backward procedures (Henzinger 



( Henzinger 


1996a 


1, al- 



et al. 20031: e.g. for lossy channel systems (Abdulla and Jonsson 1996a), al- 
though the backward procedure always terminates, only the non-terminating 
forward procedure is implemented in the tool TReX (Annichini et al. 2001). 



Acceleration techniques rely on symbolic representations of sets of states to 
compute exactly the effect of repeatedly applying a finite sequence of transitions 
w, i.e. the effect of w* . The forward analysis terminates if and only if a finite 
sequence w* ■ ■ ■ w* of such accelerations deriving the full reachability set can be 
found, resulting in the definition of the post* flattable class of systems (Bardin 



et al. 2005). Despite evidence that many classes of systems are flattable (Leroux 



and Sutre 2004, 2005), whether a system is post* -flattable is undecidable for 



general systems ( Bardin et al. 2005 ) 
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The Well Structured Case Finkel and Goubault-Larrecq (2009a b ) have re- 
cently laid new theoretical foundations for the forward analysis of deterministic 
WSTS — where determinism is understood with respect to transition labels — , 
by defining complete deterministic WSTS (cd-WSTS) as a means to obtain fi- 



nite representations for downward closed sets of states (see also Geeraerts et al 



2006), oo-effective cd-WSTS as those for which the acceleration of certain se- 
quences can effectively be computed, and by proposing a conceptual forward 
Clover procedure a la |Karp and Miller" for computing the full cover of a cd- 
WSTS — i.e. the downward closure of its set of reachable states. Similarly to 
post* fiattable systems, their procedure terminates if and only if the cd-WSTS 



at hand is cover fiattable, which is undecidable ( Finkel and Goubault-Larrecq 
2009b). As we show in this paper, post* flattability is also undecidable for 
cd-WSTS, thus motivating the search for even stronger sufficient conditions for 
termination. A decidable sufficient condition that we can easily discard as too 



restrictive is trace set finiteness, corresponding to terminating systems (Finkel 



1990) 



This Work Our aim with this paper was to find a reasonable decidable suffi- 
cient condition for the termination of the Clover procedure. We have found one 



such condition in the work of Demri et al. (2011) with trace fiattable systems, 



which are maybe better defined as the systems with a bounded trace language 
in the sense of Ginsburg and Spanier (1964): a language L C S* is bounded 
if there exists n € N and n words Wi, . . . , w n in E* such that L C ■ ■ ■ w* . 
The regular expression w* ■ ■ ■ w* is called a bounded expression for L. Bounded 
cd-WSTS encompass systems with finite language. 

Trace boundedncss implies post* and cover flattability. Moreover, Dcmri 
|et al.| show that it allows to decide liveness properties for a restricted class of 
counter systems. However, to the best of our knowledge, nothing was known 
regarding the decidability of boundedness itself, apart from the proofs of de- 



matrix grammars ( Siromoney 1969 ) 



cidability for context-free grammars (Ginsburg and Spanier 1964) and equal 



We characterize boundedness for cd-WSTS and provide as our main contri- 



( 


1964 


) and 


Siromoney 



to represent the effect of certain transfinite sequences of transitions. We fur- 



ther argue in Section 4 that both the class of systems (deterministic WSTS) 
and the property (boundedness) are in some sense optimal: we prove that 
boundedness becomes undecidable if we relax either the determinism or the 
well-structuredness conditions, and that the less restrictive property of post* 
flattability is not decidable on deterministic WSTS. 

We investigate in Section 5 the complexity of boundedness. It can grow 
very high depending on the type of underlying system, but this is the usual 
state of things with WSTS — e.g. the non multiply-recursive lower bound for 



coverability in lossy channel systems of Chambart and Schnoebelen ( 2008 ) also 
applies to boundedness — and does not prevent tools to be efficient on case stud- 
ies. Although there is no hope of finding general upper bounds for all WSTS, 
we nevertheless propose a generic proof recipe, based on a detailed analysis of 
our decidability proof, which results in tight upper bounds in the cases of lossy 



2 



channel systems and affine counter systems. In the simpler case of Petri nets, 
we demonstrate that boundedness is ExpSPACE-hard, but that the size of the 
associated bounded expression can be non primitive recursive. 

Beyond coverability, and as further evidence to the interest of boundedness 
for the verification of WSTS, we show that all w-regular word properties can 
be checked against the set of infinite traces of bounded oo-effective cd-WSTS, 



resulting in a non-trivial recursive class of WSTS with decidable liveness ( Sec- 



tion G.2 


). Liveness properties are in 


dulla and Jonsson 1996b 


Mayr 


2003) 



temporal logic (LTL) model checking are not guaranteed to terminate (Emer- 



son and Namjoshi 


1998 Abdulla et al. 


2004 
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Petri nets (Esparza 


1997 


). As a consequence of 



or limited to subclasses, like 



transition-based) LTL model checking is decidable for cd-WSTS (Section 6.3|, 
whereas state-based properties are undecidable for bounded cd-WSTS ( Cortier| 



2002). 



One might fear boundedness is too strong a property to be of any practical 
use. For instance, commutations, as created by concurrent transitions, often 
result in unboundedness. However, bear in mind that the same issues more 
broadly affect all forward analysis techniques, and have been alleviated in tools 
through various heuristics. Boundedness offers a new insight into why such 
heuristics work, and can be used as a theoretical foundation for their principled 
development; we illustrate this point in |Scction 7| where we introduce bound- 
edness modulo a partial commutation relation. We demonstrate the interest of 
this extension by verifying a liveness property on the Alternating Bit Protocol 
with a bounded number of sessions. 

This work results in an array of concrete classes of WSTS, including lossy 



channel systems (Abdulla and Jonsson 1996a), broadcast protocols (Emerson 



and Namjoshi| 1998), and Petri nets and their monotone extensions, such as 



reset /transfer Petri nets (Dufourd et al. 1999), for which boundedness is decid 



able and implies both computability of the full coverability set and decidability 
of liveness properties. Even for unbounded systems, it provides a new founda- 
tion for the heuristics currently employed by tools to help termination, as with 
the commutation reductions we just mentioned. 



2 Background 



2.1 A Running Example 



We consider throughout this paper an example (see Figure 1 ) inspired by the 



recent literature on asynchronous or event-based programming (Krohn et al 



2007 Ganty et al. 20091, namely that of a client performing n asynchronous 



remote procedure calls (corresponding to the post(r,rpc) statement on line 7), of 
which at most P can simultaneously be pending. Such piped — or windowed — 
clients are commonly employed to prevent server saturation. 

The abstracted "producer/consumer" Petri net for this program (ignoring 
the grayed parts for now) has two transitions i and e modeling the if and else 
branches of lines 6 and 9 respectively. The deterministic choice between these 
two branches is here replaced by a nondeterministic one, where the program can 
choose the else branch and wait for some rpc call to return before the window 
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1 // Performs n invocations of the rpc() function 

2 // with at most P>=1 simultaneous concurrent calls 

3 pipcd.multirpc (int n) { 



4 int sent = n, recv = n; rendezvous rdv; 

5 while (recv > 0) 

6 if (sent > && recv — sent < P) { 

7 post(rdv, rpc); // asynchronous call 

8 sent ; 

9 } else { // sent == \ \ recv — sent >= P 
10 wait(rdv); // a rpc has returned 

i i recv ; 

} 



main piped_multirpc e 




Figure 1: A piped RPC client in C-like syntax, and its Petri net modelization. 



of pending calls is exhausted. Observe that we can recover the original program 
behavior by further controlling the Petri net with the bounded regular language 
i p (ei)*e p (P is fixed), i.e. taking the intersection by synchronous product with 
a deterministic finite automaton for i p (ei)*e p . This is an example of a trace 
bounded system. 

Even without bounded control, the Petri net of |Figure T\ has a bounded, 
finite, language for each fixed initial n; however, for P > 2, if we expand it for 
parametric verification with the left grayed area to allow any n (or set n = u> as 
initial value to switch to server mode), then its language becomes unbounded. 
We will reuse this example in |Scction "3| when characterizing unboundedness 
in cd-WSTS. The full system is of course bounded when synchronized with a 
deterministic finite automaton for the language g* ci p (ei)* e p . 



2.2 Definitions 

Languages Let E be a finite alphabet; we denote by E* the set of finite 
sequences of elements from E, and by E w that of infinite sequences; E°° — 
E* US". We denote the empty sequence by e, the length of a sequence w by 
\w\, and left quotients of a language L 2 by a language L\ over E by L^ 1 L 2 = 
{v e E* I 3u e Li,uv e L 2 }. 

We make regular use of the closure of bounded languages by finite union, 
intersection and concatenation, taking subsets, prefixes, suffixes, and factors, 
and of the following sufficient condition for the unboundedness of a language L 



(Ginsburg and Spanier 1964 Lemma 5.3): the existence of two words u and v 
in E + , such that uv ^ vu and each word in {it, v}* is a factor of some word in 
L. 
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Orderings Given a relation R on A x B, we denote by R^ 1 its inverse, by 
R{C) C _B the image of C C A, by R* its transitive reflexive closure if R(A) C A, 
and by dom i? = R^ 1 (B) its domain. 

A ^itasi ordering < is a reflexive and transitive relation on a set 5*. We write 
> = < _1 for the converse quasi order, < = <\> for the associated strict order, 
and = = < n < _1 for the associated equivalence relation. The <-upward 
closure fC of a set C C S is {s € S \ 3c G C, c < s}; its <-downward closure is 
|C = {s G £ | 3c e C, c > s}. A set C is <-upward closed (resp. <-downward 
closed) if tC = C (resp. IC = C). A set B is a 6as«s for an upward-closed set 
C (resp. downward-closed) if '[B = C (resp. IB = C). An upper bound s E S 
of a set A verifies a < s for all a of A, while we denote its least upper bound, if 
it exists, by lub(A). 

A well quasi ordering (wqo) is a quasi ordering such that for any infinite 
sequence S0S1S2 ■ ■ ■ of S u there exist i < j in N such that Si < Sj. Equivalently, 
there does not exist any strictly descending chain sq > s\ > ■ ■ ■ > Si > ■ ■ ■ , and 
any antichain, i.e. set of pairwise incomparable elements, is finite. In particular, 
the set of minimal elements of an upward-closed set C is finite when quotiented 
by =, and is a basis for C. Pointwise comparison < in N fe , and scattered sub- 
word comparison -< on finite sequences in S* are well quasi orders by Higman's 
Lemma. 

Continuous Directed Complete Partial Orders A directed subset D ^ 
of S is such that any pair of elements of D has an upper bound in D. A directed 
complete partial order (dcpo) is such that any directed subset has a least upper 
bound. A subset O of a dcpo is open if it is upward-closed and if, for any 
directed subset D such that \ub(D) is in O, D n O ^ 0. A partial function / 
on a dcpo is partial continuous if it is monotonic, dom/ is open, and for any 
directed subset D of dom/, \ub(f(D)) = /(lub(D)). Two elements s and s' of 
a dcpo are in a way below relation, noted s <C s', if for every directed subset 
D such that \ub(D) < s', there exists s" <G D s.t. s < s" . A dcpo is continuous 
if, for every s' in S, wb(s') = {s e S | s <C s'} is directed and has s' for least 
upper bound. 

Well Structured Transition Systems A labeled transition system (LTS) 
S = (S, So, S, — >•) comprises a set S of states, an initial state So <E S, a finite set 
of labels S, a transition relation — > on S defined as the union of the relations 
4CSxS for each a in S. The relations are extended to sequences in E* by 
s A s and s s" for a in E and w in E* if there exists s' in S such that 
s A s' and s' ^> s". We write S(s) for the same LTS with s in S as initial 
state (instead of s ). A LTS is 

• bounded branching if Posts (s) = W € S | s — > s'} is bounded for all s in 

5, 

• deterministic if A- is a partial function for each a in E — and is thus 
bounded branching — ; we abuse notation in this case and identify u with 
the partial function A for u in E*, 

• state bounded if its reachability set Post 5 (s ) = {s £ S \ sq s} is finite, 
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trace bounded if its trace set T(S) — {w £ E* | 3s £ S*, so 
bounded, 

terminating if its trace set is finite. 



3} is 



A well-structured transition system (WSTS) ( Finkel| 1990 Abdulla et al 



2000 Finkel and Schnoebelen 2001) (S, sq, E, — >, <, F) is a labeled transition 



system (5, so, E, — >•) endowed with a wqo < on S and an <-upward closed set 
of final states F, such that — > is monotonic wrt. <: for any si, s 2 , S3 in 5* and 
a in E, if si < s 2 and Si — > S3, then there exists S4 > S3 in 5 with s 2 — > S4. 

The language of a WS TS is defined as L(S) — {w <E E* | 3s e F, s A s}; 
see Geeraerts et al. ( 2007 ) for a general study of such languages. In the context 



of Petri nets, L(S) is also called the covering or weak language, and T(S) the 
prefix language. Observe that a deterministic finite-state automaton (DFA) is 
a deterministic WSTS A = (Q, qo, E, S, =, F), where Q is finite. 



Given two WSTS Si = (S , i,so,i,E,-»i,<i,i ; i) and S 2 = (S 2 , s ,2, E, -> 2 
^2) -Fa)) their synchronous product Si x S 2 = (Si x S2, (sq,i, So,2), E, — ^ x , < x 

s 2 in S 2 , a in E, (si,s 2 ) A x (si,s' 2 ) 
<i s' x and s 2 < 2 s' 2 , is 



, Fi x F 2 ) , where for all si, Sj in S*i, s 2 , 
iff si Ai s'j and s 2 A 2 s 2 , and (si,s 2 ) < x (s' 1; s 2 ) iff Si 
again a WSTS, such that L(S 1 x S 2 ) = L(5i) n L(5 2 ). 

We often consider the case F = S and omit F from the WSTS definition, 
as we are more interested in trace sets, which provide more evidence on the 
reachability sets. 



Coverability A WSTS is Pred-effective if - 
basis for tPred 5 (ts, a) = f{s' £ S | 3s" £ S> 
be computed for all s in S and a in 



and < are decidable, and a finite 
A- s" and s < s"} can effectively 
E (iFinkel and Schnoebelenl 120011). The 



cover set of a WSTS is Cover,s(so) = J,Post s (so), and it is decidable whether a 
given state s belongs to Covers (so) for finite branching effective WSTS, thanks 
to a backward algorithm that checks whether So belongs to fPred^js) = t{s' £ 
S I 3s" £ S,s' —>* s" and s" > s}. One can also decide the emptiness of the 
language of a WSTS, by checking whether sq belongs to 'fPredJ(F). 



Flattenings Let A be a DFA with a bounded language. The synchronous 
product <S' of S and A is a flattening of 5. Consider the projection tt from 
S x Q to S defined by 7r(s, g) = s; then 5 is posi* flattable if there exists a 
flattening S' of 5 such that Post^so) = 7r(Post/!;/((so, qo)))- In the same way, 
it is cover flattable if Cover,s(so) = 7r(Cover5/((so, qo))), and trace flattable if 
T(S) = T(S'). Remark that 

1. trace flattability is equivalent to the boundedness of the trace set, and 
that 

2. trace flattability implies post* flattability, which in turn implies cover 
flattability. 



Complete WSTS A deterministic WSTS (S, s , E, <> is complete (a cd- 
WSTS) if (S, <) is a continuous depo and each transition function a for a in E is 
partial continuous (Finkel and Goubault-Larrecq 2009a. b;). The lub- acceleration 
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Minsky counter 
machines 



Lossy channel systems 



Presburger accelcrable 
counter systems 




Figure 2: Classes of systems mentioned in the paper, with a few relevant refer- 
ences. 

m w of a partial continuous function u on S, u in E + , is again a partial function 
on S defined by 

domw w ={s£ domii | s < u(s)} 
u u (s) = \ub({u n (s) | n G N}) for s in dom^. 

A complete WSTS is oo -effective if is computable for every u in E + . 



2.3 Working Hypotheses 

Our decidability results rely on some effectiveness assumptions for a restricted 
class of WSTS: the complete deterministic ones. We discuss in this section the 
exact scope of these hypotheses. As an appetizer, notice that both boundedness 
and action-based w-regular properties are only concerned with trace sets, hence 
one can more generally consider classes of WSTS for which a trace-equivalent 



complete deterministic system can effectively be found. Figure 2 presents the 
various classes of systems mentioned at one point or another in the main text 
or in the proofs. It also provides a good way to emphasize the applicability of 
our results on oo-effective cd-WSTS. 



Completeness Finkcl and Goubault-Larrecq (2009b) define u -WSTS as the 



class of systems that can be completed, and provide an extensive off-the-shelf 
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algebra of datatypes with their completions (Finkel and Goubault-Larrecq 



2009a). As they argue, all the concrete classes of deterministic WSTS consid- 
ered in the literature are ui 2 . Completed systems share their sets of finite and 
infinite traces with the original systems: the added limit states only influence 
transfinite sequences of transitions. 

For instance, the whole class of affine counter systems, with affine transition 
functions of form f{X) = AX + B, with A a k x k matrix of non-negative inte- 
gers and B a vector of k integers — encompassing reset /transfer Petri nets and 
broadcast protocols — can be completed to configurations in (N U {ui}) k . Sim- 



ilarly, functional lossy channel systems (Finkel and Goubault-Larrecq 2009a) 



can work on products (Abdulla et al. 2004 Corollary 6.5). On both accounts, 



the completed functions are partial continuous. 

Determinism Beyond deterministic systems, one can consider finite branch- 



ing WSTS ( jFinkel and Goubault-Larrecq 2009a) obtained from deterministic 



WSTS through a labeling function a. Such WSTS are not necessarily determin- 
istic, but one can decide the following sufficient condition for determinism. 

Proposition 1. Let S be a WSTS defined by a deterministic WSTS (S, Sq, T , — > 
, <) and a labeling a : T — > S. // (S, <) is an effective join-semilattice, one can 
decide whether, for all reachable states s of S and pairs (/, /') of transition 

functions in T with o~(f) = o~\f ), s G dom — > n dom — > implies f = f . 

Proof. Recall that a partial order (S, <) is a join-semilattice if the lub (aka 
join) of any pair of elements of S exists; we say that it is effective if this lub 
can effectively be computed. 

f f 

Let D = dom — > n dom — >; we can reformulate the existence of an s violat- 
ing the condition of the proposition as a coverability problem, i.e. whether Sq 
belongs to Pred*(£>), which is decidable thanks to the usual backward reacha- 
bility algorithm if we provide a finite basis for D. 

f /' 

Let Bf and Bf> be finite bases for — > and — >, we can define 

B = {lub( S/ , s/0 | s f G B f , s f E B f ,} , 

since the lub of two elements exists and can always be computed in the effective 
join-semilattice (S, <). Let us prove that ^B — D: suppose s is an element of 
D, thus that there exist Sf in Bf and Sf in Bf such that s > Sf and s > Sf>. 
Then s' = \ub(sf, Sf) belongs to B and is such that s' > Sf, s' > Sf, and for 
all s" greater than both s/ and sy, s' < s". Taking s" = s in the previous 
sentence yields the proof. □ 

For instance, labeled functional lossy channel systems and labeled affine counter 
systems fit Proposition [I] since (Products, C) and ((NU {^})",<) are effec- 
tive join-semilattices; also note that determinism is known to be ExpSpace- 



complcte for labeled Petri nets (Atig and Habermehll 2009). 



Another extension beyond cd-WSTS is possible: Call a system S essen- 
tially deterministic if, analogously to the essentially finite branching systems 



of Abdulla et al. (20001, for each state s and symbol a, there is a single max- 



imal element inside Posts(s,a) = {s' G S | s —> s'}, which we can effectively 
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compute. Indeed, from S we can construct a deterministic system Sd with tran- 
sitions s A- max(Post,s(s, a)) defined whenever Posts(s,a) is not empty, for all 
s in S and a in S. Thanks to monotonicity, any string recognized from some 
state in Posts(s,a) can also be recognized from max(Post,s(s, a)), which entails 
T(S)=T(S d ). 

Finally, one can try to devise trace- and cover-equivalent deterministic se- 
mantics for systems with unbounded branching, like functional lossy channel 



systems (Finkel and Goubault-Larrecq 2009a) for lossy channel systems, or re- 
set Petri nets for lossy Minsky machines. From a verification standpoint, the 
deterministic semantics is then equivalent to the classical one. 



Effectiveness All the concrete classes of WSTS are Pred-effective, and we 
assume this property from all our systems from now on. It also turns out that 
co-effective systems abound, including once more (completed) affine counter 
systems ( Finkel and Goubault-Larrecq 2009b ) and functional lossy channel sys- 
tems. 



3 Deciding Boundedness 

We present in this section two semi- algorithms, first for boundedness, which 
relies on the decidability of language emptiness in WSTS, and then for un- 
boundedness, for which we show that a witness can be found in cd-WSTS. In 
fact, upon closer inspection, the second semi-algorithm can be turned into a 
full-fledged algorithm when some care is taken in the search for a witness. 

Theorem 2. Language boundedness is decidable for co-effective cd-WSTS. If 
the language is bounded, then one can effectively find an adequate bounded ex- 
pression wl ■ ■ ■ w* for it. 

3.1 Boundedness 

Language boundedness is semi decidable with a rather straightforward proce- 
dure for any WSTS S (neither completeness nor determinism are necessary): 
enumerate the possible bounded expressions w\ ■ ■ ■ w* and check whether the 
language L(S) of the WSTS is included in their language. This last operation 
can be performed by checking the emptiness of the language of the WSTS ob- 
tained as the synchronous product S x A of the original system with a DFA A 
for the complement of the language of w* ■ ■ ■ «;* . If L(S x A) is empty, which is 
decidable thanks to the generic backwards algorithm for WSTS, then we have 
found a bounded expression for L(S). 

3.2 Unboundedness 

We detail the procedure for unboundedness of the trace set. Our construction 
relies on the existence of a witness of unboundedness, which can be found after 
a finite time in a cd-WSTS by exploring its states using accelerated sequences. 
Considering the trace set of a WSTS is thus no loss of generality compared to 
considering its language: we can compute the set of co-accessible states Pre*(F) 
and use it to restrict our exploration. 
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Figure 3: The Petri net AT' (1, 0, 0, 0), with an unbounded trace set. 



Overview Let us consider the Petri net JV 1 with initial marking (1,0,0,0), 
depicted in |Figure~3"l with trace set 



T(Af'(l, 0, 0, 0)) = a* U |J a n b{c, d}^ n 



Notice that the trace set of AT with initial marking (0, l,n, 0) is bounded for 
each n: it is {c,d}- n , a finite language. The unboundedness of Af'(l, 0, 0, 0) 
originates in its ability to reach each (0, l,n, 0) marking after a sequence of n 
transitions on a followed by a b transition. 

Consider now transitions (1,0,0,0) A (1,0,1,0) and (1,0,0,0) A (0,1,0,0). 
The two systems Af(l, 0, 1, 0) and Af'(0, 1, 0, 0) are respectively unbounded and 
bounded. In fact, there always exist at least one a in E such that a~ x L remains 
unbounded. 

By induction, we can find words w of any length \w\ — n such that w~ 1 T(S) 
is still unbounded: this is the case of a n in our example. This process continues 
to the infinite, but in a WSTS we will eventually find two states Si < Sj, met 
after i < j steps respectively. Let Sj ; by monotonicity we can recognize u* 
starting from Sj. In a cd-WSTS, there is a lub-accelerated state s with Sj — > s 
that represents the effect of all these u transitions; here (1, 0, 0, 0) — > (1, 0, w, 0). 
The interesting point is that our lub-acceleration finds the correct residual trace 
set: T(AA'(l,0,w,0)) = (a*)- 1 T(AA'(l, 0, 0, 0)). 

Again, we can repeatedly remove accelerated strings from the prefixes of our 
trace set and keep it unbounded. However, due to the wqo, an infinite succession 
of lub-accelerations allows us to nest some loops after a finite number of steps. 

Still with the same example, we reach (1,0, a;, 0) \ (0,1,07,0), and — thanks 
to the lub-acceleration — the source of unboundedness is now visible because 

c d 

both (0,l,u;,0) —> (0,1,07,0) and (0, 1,07, 0) — > (0, 1,07, 1) are increasing, thus 
by monotonicity T(Af'(Q, 1, 07, 0)) = {c,d}*. By continuity, for each string u in 
{c, d}*, there exists n in N such that a n bu is an actual trace of Af'(l, 0, 0, 0). 
The same reasoning can be applied to the Petri net of Figure l] with initial 



marking (1,0, 0,P, 0) for P > 2. As mentioned in |Scction 2 



its trace set is un- 
bounded, but the trace set of N with initial marking (0, 1, n, P, 0) is bounded for 

each n, since it is a finite language. We reach (1, 0, 0, P, 0) — > (1, 0, 07, P, 0) 
(0, 1, 07, P - 1, 1) and see that both (0, 1, u, P - 1, 1) A (0, 1, w, P - 1, 1) and 
(0, 1,07, P — 1,1) lee > (0, 1,07,P— 1,1) are increasing, thus by monotonicity 
T(J\f(0, 1,07,P — 1, 1)) contains {ei 7 ieei}*. Here continuity comes into play to 
show that these limit behaviors are reflected in the set of finite traces of the 
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Figure 4: An increasing fork witnesses unboundedness. 



system: in our example, for each string u in {ei,ieei}* , there exists a finite n 
in N such that g n ciu is an actual trace of 7V"(1, 0, 0, P, 0). 

Increasing Forks We call the previous witness of unboundedness an increas- 



ing fork, as depicted in schematic form in Figure 4 Let us first define accelerated 



runs and languages for complete WSTS, where lub-accelerations are employed. 

Definition 3. Let S = (S, So, S, —>,<, F) be a cd-WSTS. An accelerated run 
is a finite sequence a = sqS\S2 ■ ■ ■ s n in S* such that for all i > 0, either there 
exists a in X such that 

Si A s i+ i (single step) 

or there exists u in S + such that 

Si — > Sj+i . (accelerated step) 

We denote the relation over S defined by such an accelerated run by s$ —ft s n . 
An accelerated run is accepting if s n is in F. The accelerated language (resp. 
accelerated trace set) L 3CC (S) (resp. T acc (S)) of S is the set of sequences that 
label some accepting accelerated run (resp. some accelerated run). 

We denote by T, <uj2 the set of sequences of (ordinal) length strictly smaller than 
w 2 ; in particular L acc (S) C S <LJ . 

Definition 4. A cd-WSTS S — {S, so, S, — >, <) has an increasing fork if there 
exist a ^= b in S, u in E <<J , o in S*, and s, s a > s, > s in 5* such that 

au , bv 

So — ft s, s — ft s a , and s — > s&. 

As shown in the following proposition, a semi-algorithm for unboundedness 
in oo-effective cd-WSTS then consists in an exhaustive search for an increasing 
fork, by applying non nested lub-accelerations whenever possible. In fact, by 
choosing which acceleration sequences to employ in the search for an increasing 
fork, we can turn this semi-algorithm into a full algorithm; we will see this in 
more detail in lScction 5.21 

Proposition 5. A cd-WSTS has an unbounded trace set iff it has an increasing 
fork. 

The remainder of the section details the proof of Proposition [5] 
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An Increasing Fork Implies Unboundedness. The following lemma shows 
that, thanks to continuity, what happens in accelerated runs is mirrored in finite 
runs. 

Lemma 6. Let S be a cd-WSTS and n > 0. If 

w n = v n+1 u"v n ■ ■ ■ ufvi € T 3CC (S) 
with the Ui in E + and the Vi in £*, then there exist k\, . . . , k n inN, such that 

w' n = v n+1 Un n v n ■ ■ ■ vf^vi € T(S) . 

Proof. We proceed by induction on n. In the base case where n = 0, wq = vi 
belongs trivially to T(S) — this concludes the proof if we are considering words 
in T(S). For the induction part, let s be a state such that 

So » S » Sf , 

i.e. w n -\ — v n Un_iV n -i ■ ■ ■ UiVi is in T acc (S(s)). Therefore, using the induction 
hypothesis, we can find k\, ■ ■ . , k n — i in N such that 

w' n _ 1 = VnU^iVn-i ■ ■ ■ U^Vl £ T(S{s)) . 

. w 'n—l 

Because S is complete, — — 5- is a partial continuous function, hence with an 
open domain O. This domain O contains in particular s, which by definition of 

it^ is the lub of the directed set {s' \ 3m € N, s " +1 " > s'}. By definition of 

an open set, there exists an element s' in {s' \ 3m g N, sq " +1 - > s'} n O, i.e. 

there exists k n in N s.t. s > s' and s' can fire the transition sequence 

<-v □ 

Continuity is crucial for the soundness of our procedure, as can be better 
understood by considering the example of the WSTS S 1 = (Nttl {lu}, 0, {a, b}, —> 
, <} with the transitions 

V?i £N,n Anil, lu A> lj, lu A- u> . 

We obtain a bounded set of finite traces T(S'(Q)) — a*, but reach the con- 
figuration oj through lub-accelerations, and then find an increasing fork with 
T(S'(lj)) = {a, b}* , an unbounded language. Observe that N is a directed set 

with ui as lub, thus the domain of — > should contain some elements of N in order 
to be open: S' is not a complete WSTS. 

Lemma 7. Let S be a cd- WSTS. If S has an increasing fork, then T(S) is 
unbounded. 

Proof. Supp ose that S has an increasing fork with the same notations as in 



Theorem 4 and let w in £ <w be such that s — » s. By monotonicity, we can 
fire from s the accelerated transitions of au and the transitions of bv in any 
order and any number of time, hence 

w{au, bv}* C T acc (<S) . 
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Figure 5: The construction of an increasing fork in the proof of 



Theorem 11 



Suppose now that T(S) is bounded, i.e. that there exists wi, . . . ,w n such 
that T(«S) C w* 1 ---w* n . Then, there exists a DFA A = (Q,q ,T,,5,F) such 
that L(A) =w$--- w* and thus T(S) C L(A). Set N = \Q\ + 1. We have in 
particular 

w{bv) N au(bv) N au ■ ■ ■ au{bv) N G T 3CC (S) 



with N repetitions of the (bv) factor. By Theorem 6 we can find some ade- 
quate finite sequences it/, Ui, . . . , itjv-i in S* such that 

w' {bv) N a Ul {bv) N au 2 ■ ■ ■ au N -i{bv) N G T(S) . 

Because T(S) C L(A), this word is also accepted by A, and we can find an 
accepting run for it. Since N = \Q\ + 1, for each of the N occurrences of the 
(bv) N factor, there exists a state % in Q such that 6(qi, (bv) ki ) = qi for some 
ki > 0. Thus the accepting run in A is of form 

w'(bv) N - k i- k 'i (bv) k i {bv) k 'iau 1 {bv) N - k 2- k 2 

qo > q\ > qi > 92, 

(6t)) fc 2 (bv) k 2au 2 ---au N -i(bv) N - k K- k 'N 

q2 > 92 > qN, 

(bv) k v (bv) k 'N 
q N > q N > q f G F 

for some integers k\ > 0. Again, since N = \Q\ + 1, there exist 1 < i < j < N 
such that qi = qj , hence 

<%, (bv) k >aui ■ ■■au j - 1 (bv) N - k i- k 'j) = q t . 

This implies that {(£w) fel , (6w) fe 'auj • • • au J ^i(bv) N ~ kj ~ k }}* is contained in the 
set of factors of L(A) with 

(bv) ki+k <aui ■ ■ ■ auj-i(bv) N - k *- k 'i £ (bvf'ain ■ ■ ■ a Uj -i(bv) N -^-^ +ki 



since a ^ 6, thus L{A) is an unbounded language (Ginsburg and Spanier, 1964 



Lemma 5.3), a contradiction. □ 



Unboundedness Implies an Increasing Fork. We follow the arguments 
presented on the example of |Figure l] and prove that an increasing fork can 
always be found in an unbounded cd-WSTS. 

Lemma 8. Let L C E* be an unbounded language. There exists a in X such 
that a^ 1 L is also unbounded. 
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Proof. Observe that L = lj a es a ' i al L). If every a _1 L were bounded, since 
bounded languages are closed by finite union and concatenation, L would also 
be bounded. □ 

Definition 9. Let be L C E* and w £ S + . The removal of w from L is the 
language wL — (w*)^ 1 L\wE* . 

Lemma 10. If a cd-WSTS S has an unbounded trace set T(S) in £*, and L 
is an unbounded subset of T(S) then there are two words v in S* and u in E + 
such that v« w £ T 3CC (S),vu <E Pref(L) and is also unbounded. 



Proof. By Theorem 8 we can find a sequence (aj)j>o € S w such that for all n 
in N, (oi • • • a n )^ 1 L is unbounded. Let (s,),>o be the corresponding sequence 
of configurations in S u , such that s$ ' +1 > Sj+i. Because (5, <) is a wqo, 
there exist i < j such that Sj < s^. We set v — a\ ■ ■ ■ a and u — di+i ■ ■ ■ cij, 
which gives us v ■ u u € T acc (S). Remark that v~ 1 L is unbounded, and, since 
m*m(w _1 L) = u*(w _1 L), u(u _1 L) is unbounded too. □ 

Note that it is also possible to ask that \vu\ > n for any given n, which we 
do in the proof of the following lemma. 

Lemma 11. If a cd- WSTS has an unbounded trace set, then it has an increasing 
fork. 

Proof. We define simultaneously three infinite sequences, (i>j,itj)j>o of pairs 
of words in E* x S + , (Xj)j>o of unbounded languages, and (sj)j>o of initial 
configurations: let Lq = T(S), and 



fi+i, u-j+i are chosen using Theorem 10 such that Vi + iuf, 1 is in T acc (<S(sj)), 



v i+1 u i+1 is in Pref(Lj), \v i+1 ■ u i+1 \ > \m\ if i > 0, and Ui+^v^Li) is 
unbounded; 

• » Si+i; 

Since -^Lj) C r(5(si+i)), we can effectively iterate the construction by 

the last point above. 

Due to the wqo, there exist i < j such that Sj < Sj. By construction m is 
not a prefix of and > \ui\, so there exist a ^ b in S and a 

longest common prefix a; in S* such that = xby and Vi + iitj + i = xaz. 



We exhibit an increasing fork by selecting s,s a ,Sb such that (see Figure 5) 



x azu i+1 v i+2 u i+2 --v j u j x byx 
Si — > S S » S a S > St . □ 

We will refine the arguments of |Theorcm 11| in |Scction 5.2| In particular, 
note that a strategy where the Vi+\Ui + i sequences are the shortest possible 
defines a means to perform an exhaustive search for this particular brand of 
increasing forks, this at no loss of generality as far as boundedness is concerned. 
Thus our semi-algorithm is actually an algorithm. 
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4 Undecidable Cases 



This section establishes that the decidability of the boundedness property for 
cd-WSTS disappears if we consider more general systems or a more general 
property. Unsurprisingly, trace boundedness is undecidable on general systems 



like 2-counter Minsky machines (Section 4.1 ). It also becomes undecidable if we 



relax the determinism condition, by considering the case of labeled reset Petri 



nets (Section 4.2). We conclude by proving that post* flattability is undecidable 



for deterministic WSTS (Section 4.3 1. Note that completeness is irrelevant in 
all the following reductions. 

4.1 General Systems 

We demonstrate that the boundedness problem is undecidable for traces of 
deterministic Minsky machines, by reduction from their halting problem. We 
could rely on Rice's Theorem, but find it more enlightening to present a direct 
proof that turns a Minsky machine M. into a new one M! ', which halts if and 
only if M. halts. The new machine has a bounded trace set if it halts, and an 
unbounded trace set otherwise. 

Let us first recall that a deterministic Minsky machine is a tuple M. = 
{Q, 6, C, qo) where Q is a finite set of labels, 8 a finite set of actions, C a finite 
set of counters that take their values in N, and qo G Q an initial label. A label 
q identifies a unique action in 5, which is of one of the following three forms: 

q : if c = goto q' else c ; goto q" 

q : C++; goto q 
q : halt 

where q' and q" are labels and c is a counter. A configuration of M. is a pair 
(q, m) with q a label in Q and m a marking in N c , and leads to a single next 
configuration (g', m!) by applying the action labeled by q — which should be self- 
explaining — if different from halt. A run of M. starts with configuration (qo, 0) 
and halts if it reaches a configuration that labels a halt action. We define the 
corresponding LTS semantics by (q,m) — > {q',m') if (q, m) and (q , ,mf) are two 
successive configurations of M. ; note that there is at most one possible transition 
from any (q, m) configuration, thus this LTS is deterministic. It is undecidable 



whether a 2-counter Minsky machine halts (Minsky 1967). 

We also need a small technical lemma that relates the size of bounded ex- 
pressions with the size of some special words. 

Definition 12. The size of a bounded expression w* ■ ■ ■ ID* is X)"=i \ w i\- 

Lemma 13. Let v m G (£ tfcl A)* be a word of form uxXxUix^uj, . . . u rn x m with 
m G N, ui G £ + , Xi G A + and < for all i. If there exist Wi, . . . ,w n 

in (S tfcl A)* such that v m G w* ■ ■ ■ w* , then XlT=i \ w i\ — m - 

Proof. We consider for this proof the number of alphabet alternations a\t(w) of 
a word w in (X 1+1 A)*, which we define using the unique decomposition of w 
as yi • ■ • y 3 \t( w ) where each yi factor is non empty and in an alphabet different 
from that of its successor. For instance, alt(u m ) is 2m. We relate the number 
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of alternations produced by words Wi of a bounded expression for v m with their 
lengths. More precisely, we show that, if 



wl 1 ■ ■ ■ w% , 



then for all 1 < i < n 

alt(wf) < 2|«Ji| . (*) 

Clearly, ([*]) holds if |iOj| = or ji = 0. If a word Wi is in E + or A + , then 
alt(u^) = 1 for all j > and ([*]) holds again. Otherwise, the word Wi contains 
at least one alternation, and then ji < 2: otherwise there would be two maximal 
x factors (in A + ) in v m with the same length. As each alternation inside Wi 
requires at least one more symbol, we verify ([*]). Therefore, 

n n 

2m = alt(wf • ••i4 n ) < ^alt(iwf ) < 2^ \ Wl \ . □ 

i=l i=l 

Proposition 14. Trace boundedness is undecidable for 2-counter Minsky ma- 
chines. 

Proof. We reduce from the halting problem for a 2-counter Minsky machine M. 
with initial counters at zero. We construct a 4-counter Minksy machine M! 
such that T(M') is bounded iff M halts. 

The machine M 1 adds two extra counters C3 and C4, initially set to zero, 
and new labels and actions to M.. These are used to insert longer and longer 
sequences of transitions at each step of the original machine: each label q gives 
rise to the creation of five new labels q' , q" , <^ , q$ , q b that identify the following 
actions 

q' : if C3 = goto q^ else c 3 ; goto q" 

q" : c 4 ++; goto q' 

q* : if C4 = goto ^ else C4 ; goto q^ 

q i : c 3 ++; goto g f 
<7 b : C3++; goto g 

and each subinstruction goto g in the original actions is replaced by goto q' . 
The machine M! halts iff M. halts. If it halts, then its trace set T(A4') is a 
singleton {w}, and thus is bounded. If it does not halt, then its trace set is the 
set of finite prefixes of an infinite trace of form 

qo(qWi)°Qi u m(QW2) 1 Q2 u 2q2(qW3) 2( i3 u 3 

■ ■ ■ *(^+i<7r+i) i ^+i u *+ift+i • • • 

where <Zo<Zi92 ■ ■ ■ (Mi+i ■• • is the corresponding tr ace of the execution of and 



the Uj are sequences in {ql , ql , q)}* ■ By Lemma 13 no expression w* ■ ■ •«;* of 



finite size can be such that T{M!) C w* ■ ■ ■ w* . 

We then conclude thanks to the (classical) encoding of our 4-counter machine 



M! into a 2-counter machine M." using Godel numbers (Minsky 1967): indeed, 



the encoding preserves the trace set (un-)boundedness of M! . □ 
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Figure 6: The labeled reset Petri net Af' of the proof of Proposition 15 



4.2 Nondeterministic WSTS 

Regarding nondeterministic WSTS with bounded branching, we reduce state 
boundedness for reset Petri nets, which is undecidable (Mayr 2003 Theorem 
13), to trace boundedness for labeled reset Petri nets. From a reset Petri net 
we construct a labeled reset Petri net similar to that of |Figurc 3| which hides 
the computation details thanks to a relabeling of the transitions. The new net 
consumes tokens using two concurrent, differently labeled transitions, so that 
the trace set can attest to state unboundedness. 

Let us first recall that a marked Petri net is a tuple Af = (P, 0,/, mo) 
where P and are finite sets of places and transitions, / a flow function from 
(P x 0) U (0 x P) to N, and mo an initial marking in N p . The set of markings 
N p is ordered component-wise by m < m' iff Vp G P, m(p) < m'(p), and has 
the zero vector as least element, such that Vp G P, 0(p) = 0. A transition 
t G can be fired in a marking m if f{jp, t) > m(p) for all p G P, and reaches a 
new marking m' defined by m'(p) = m(p) — f{p 1 t) + f(t,p) for all p G P. 

A labeled Petri net (without e labels) further associates a labeling letter-to- 
letter homomorphism a 

, <) where m 



-> m 



: -> S, and can be seen as a WSTS (N , m ,£,- 
if the transition t can be fired in m and reaches rt 



Determinism of such a system is decidable in ExpSpace ( Atig and Habermehl 







2009 ). An important class of deterministic Petri nets is defined by setting £ 
and a = ide, thereby obtaining the so-called free labeled Petri nets. 

A reset Petri net Af = (P, 0, R, f, mo) is a Petri net (P, 0, /, mo) with a set 
R C P x of reset arcs. The marking m! reached after a transition t from some 
marking m is now defined for all p in P by 



m'(j>) = 



f(t, P ) 
m(p) — 



f(p,t) + f(t,p) 



if 0, t) G R 
otherwise. 



Proposition 15. Trace boundedness is undecidable for labeled reset Petri nets. 

Proof. Let N = (P, 0, R, /, mo) be a reset Petri net. We construct a cr-labeled 
reset Petri net Af' which is bounded if and only if Af is state bounded, thereby 



reducing the undecidable problem of state boundedness in reset Petri nets ( Du- 



fourd et al. 1999 1 



We construct A'' from Af by adding two new places p + and p- , two sets of 
new transitions t c v and t~ for each p in P, where each t° for a in {c, d} consumes 
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one token from p_ and from p and puts one back in p_ , and one new transition 
t- that takes one token from p + and puts it in p_ . All the transitions of Af are 
modified to take one token from p + and put it back. Finally, we set mo(p + ) = 1 
and mo(p-) — in the new initial marking. The labeling homomorphism a 
from 6 I±J {£_} 1+1 {t a p \ a e {c,d},p e P} to {a,b,c,d} is defined by cr(t) = a 



for all i £ 9, = 6, &(tp) = c and c(^) = d for all p in P. See Figure 6 

for a pictorial representation of Af' ■ Its behavior is to simulate Af while a token 
is in p + with a* for trace, and to switch nondeterministically to a consuming 
behavior when transferring this token to p_ through Then, Af' consumes 
tokens from the places of Af and produces strings in {c, d}* through the t£ and 
transitions. 

If A/" is not state bounded, then X^eP m (f) f° r reachable markings m of 
A/"' is not bounded either. Thus an arbitrary number of t p and t p transitions 
can be fired, resulting in a trace set containing any string in {c,d}* as suffix 
for Af', which entails that it is not bounded. Conversely, if Af is bounded, then 
SpGP m (p) is bounded by some constant n for all the reachable markings m 
of Af', hence T(Af') is included in the set of prefixes of a*b{c, d} n , a bounded 
language. □ 

4.3 Trace vs. Post* Flattability 

The decidability of boundedness calls for the investigation of the decidability of 
less restrictive properties. Two natural candidates are post* flattability, which 



was proven undecidable for Minsky machines by |Bardin et al. ( 2005J), and cover 



flattability, which is already known to be undecidable for cd-WSTS (Finkel and 



Goubault-Larrecq 2009b ) 



We show that post* flattability is still undecidable for cd-WSTS. To this end, 



we reduce again state boundedness, this time in lossy channel systems (Mayr 



2003), to post* flattability in an unlabeled functional lossy channel system, 
a deterministic variant introduced by iFinkel and Goubault-Larrecq ( 2009a I . 



Somewhat analogously to Proposition |15[ the idea is to consume the channel 
contents on one end while adding an unbounded sequence to its other end, so 
that the set of reachable configurations reveals state unboundedness. 

A lossy channel system (LCS) is a WSTS C = (Q x Af*, (qo,e), {!, ?} x M, -> 
, ^} where Q is a finite set of states, qo € Q the initial state, M a finite set of 
messages, (q, w) ^ (q',w') if q — q' and w ^ w' — the subword relation — , and 
where the transition relation is defined from a finite relation 8 C Q x {!,?} x 
M x Q with 

(q,w) (q',w') \i(q,\,a,q') G 5 and 3w" G M* , 

w" ■< w and w ^ w"a 

(q, w) ^ (q', w') if (q, ?, a, q') G 8 and 3w" G M* , 

aw" ^ w and w ^ w" . 

One can easily extend this definition to accommodate for a finite set of channels 
and no-op transitions. 



A functional lossy channel system (Finkel and Goubault-Larrecq 2009a) is 



defined in the same way except for the transition relation, which is now a partial 
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function: 



(q, w) A (q', wa) if (q, !, a, q') e 5 

(g, uaw) [q 1 , w) if (g, ?, a, g') G <5 and u £ (M\{a})*. 

A functional LCS thus loses its channel contents lazily. There are some imme- 
diate relations between a LCS C and its corresponding functional LCS C, i.e. 
for the same Q, M, and 5: PostJ, ((go, e)) ^ Po s tc((<Zo, e)), Coverc ((go, £)) = 
Cover c ((g ,e)), and T(C') =T(C). 

Note that the following proposition is not a trivial consequence of the un- 



decidability of cover- fiattability in LCS ( jFinkel and Goubault-Larrecq 2009b I, 



since in the case of functional LCS the Cover and Post sets do not coincide. 

Proposition 16. Post* fiattability is undecidable for functional lossy channel 
systems. 

Proof. Let us consider a LCS C — (Q x M*, (q , e), {!, ?} x M, — and its 
associated functional system C . We construct a new functional LCS C" which 
is post* flattable if and only if C is state bounded, thereby reducing from the un- 



decidable state boundedness problem for lossy channel systems (Dufourd et al 



1999 ) . Let us first remark that C is state bounded if and only if C' is state 
bounded, if and only if there is a maximal length n to the channel content w in 
any reachable configuration (q,w) G post*,, ((go, s)). 

We construct C" by adding two new states g? and gi to Q, two new messages 
c and d to M, and a set of new transitions to 5: 

{(?,?, a, a) \aeM,qe Q} 
U {((?!,!, a, g?) | a € {c,d}} 
U {(g ? ,?,a,g,) | a € M} . 

If C is state bounded, the writing transitions from q\ can only be fired up to 
n times since they are interspersed with reading transitions from g?, hence C" 
has its channel content lengths bounded by n. Therefore, C" is equivalent to a 
DFA with (Qttl {gi, g ? }) x (M 1+1 {c, d}p n as state set and {!, ?} x (M 1+1 {c, d}) as 
alphabet. By removing all the loops via a depth-first traversal from the initial 
configuration (qo,e), we obtain a DFA A with a finite — and thus bounded — 
language, but with the same set of reachable states. Hence C" is post* flattable 
using A. 

Conversely, if C is not state bounded, then an arbitrarily long channel con- 
tent can be obtained in C" , before performing a transition to gi and producing 
an arbitrarily long sequence in {c, d}* in the channel of C" , witnessing an un- 
bounded trace suffix. Observe that, due to the functional semantics, C" has no 
means to remove these symbols, thus it has to put them in the channel in the 
proper order, by firing the transitions from gt in the same order. Therefore no 
DFA with a bounded language can be synchronized with C" and still allow all 
these configurations to be reached: C" is not post* flattable. □ 



5 Complexity of Boundedness 

Well-structured transition systems are a highly abstract class of systems, for 
which no complexity upper bounds can be given in general. Nevertheless, it is 
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Table 1: Summary of complexity results for trace bounclcdncss. 
Petri nets Affinc counter systems Functional LCS 



ExpSPACE-hard 



-F^-complete 



F u u -complete 



(non primitive-recursive) (non multiply-recursive) 



possible to provide precise bounds for several concrete classes of WSTS, and 
even to employ generic proof techniques to this end. |Tablc l] sums up our 
complexity results. 



Fast Growing Hierarchy Our complexity bounds are often adequately ex- 
pressed in terms of a family of fast growing functions, namely the generators 



{Fa) a of the Fast Growing Hierarchy (Lob and Wainer 1970), which form a 
hierarchy of ordinal-indexed functions N — ► N. The first non primitive-recursive 
function of the hierarchy is obtained for a = lj, F u {n) — F n {n) being a variant of 
the Ackermann function, and eventually majorizes any primitive-recursive func- 
tion. Similarly, the first non multiply-recursive function is defined by a = lj u 
and eventually majorizes any multiply-recursive function. 

We identify F a with the class of problems decidable using resources bounded 
by 0{F a {p{n))) for some polynomial p and instance size n. Since F3 is already 
non-elernentary, the traditional distinctions between space and time, or between 
deterministic computations and nondeterministic ones, are irrelevant. 



5.1 Lower Bounds 

Let us describe a generic recipe for establishing lower bounds: Given a system 
S that simulates a space-bounded Turing machine M. , hence with a finite num- 
ber of different configurations n c , assemble a new system S' that first weakly 
computes n c , then simulates the runs of S but decreases some counter holding 
n c at each transition. Thus <S' terminates and has a bounded trace set, but still 
simulates A4. Now, add two loops on two different symbols a and b from the 
configurations that simulate the halting state of M. , and therefore obtain a sys- 
tem which is trace-flattable if and only if M. halts. Put differently, we reduce the 
control-state reachability problem in terminating systems to the boundedness 
problem. 

We instantiate this recipe in the cases of Petri nets in Section 5.1.1[ using 



Lipton (1976 1 's results, for reset Petri nets (and thus affine counter systems) in 
Section 5.1.2 using [Schnoebelen" (2010)'s results, and for lossy channel systems 
Section 5.1.3 using Chambart and Schnoebelen (2008)'s results. Although 



the complexity for Petri nets is quite significantly lower than for the other classes 
of systems, we also derive a non-primitive recursive lower bound on the size of 



a bounded expression for a trace bounded Petri net (Section 5.1.4) 



5.1.1 ExpSpace Hardness for Petri Nets 



Let us first observe that, since Karp and Miller (19691-like constructions always 



terminate in Petri nets, the search for an increasing fork is an algorithm (instead 
of a semi-algorithm). However, the complexity of this algorithm is non primitive 
recursive. 
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Figure 7: The Petri net Af' of the proof of Proposition 17 



We conjecture there is actually an exponential space procedure: State bound- 
edness of Petri nets can be decided in exponential space using a procedure due 
to Rackoff (19781, as well as and many more properties by an extension thereof 



to increasing paths formulas recently given by Atig and Habermehl ( 2009 ) . How- 



ever, it is unclear whether such a formula could be designed for boundedness, 
since accelerations violate the increasing condition — in this regard, boundedness 
is similar to the regularity of the trace language. 

Meanwhile, we extend the ExpSpace hardness result of Lipton (Cardoza 



et al. 1976) for the Petri net coverability problem to the trace boundedness 



problem. 

Proposition 17. 

ExpSPACE-Ziard. 



Deciding the boundedness of a deterministic Petri net is 



Proof. The ExpSpace hardness of deciding whether a Petri net has a bounded 



trace set can be shown by adapting a well-known construction by Lipton ( Car- 



doza et al. 1976) — see also the description given by Esparza (1998) — for the 



ExpSpace hardness of the coverability problem in Petri nets. We refer the 
reader to their construction of an 0(n 2 )-sized 2 2 -bounded Petri net Af that 
weakly simulates a 2™-space bounded Turing machine AA, such that a marking 
greater than some marking m can be reached in Af if and only if A4 halts. 
We construct a new free labeled Petri net Af' from Af = (P, 0,/, mo) and 

the marking m. Since the places in Af are bounded by 2 2 , only n c = 2 2 
different configurations are reachable from mo in Af, therefore we can limit the 
length of all the computations in Af to n c and still obtain the same reachability 
set. 

We initially plug a subnet that weakly computes n c in a new place p t , in 
less than kn c steps for some constant k. This subnet only uses a constant size 
and an initial submarking of size 0{n). We then simulate Af but modify its 
transitions to consume one token from p t each time. Finally, a new transition 
that consumes m from the subnet for Af adds one token in another new place ph 
that allows two new different transitions a and b to be fired at will; see |Figure 7| 
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Figure 8: The lossy channel system C' M for the proof of Proposition 19 



A run of A/ 7 either reaches ph and can then have any string in {a, 6}* as a 
suffix, or is of length bounded by (fc + l)n c . Hence, T(Af') is bounded if and 
only if a run of Af reaches some m! > to, if and only if the 2™-space bounded 
Turing machine A4 halts, which proves the ExpSpace hardness of deciding the 
boundedness of a Petri net. □ 



5.1.2 Non-Primitive Recursive Lower Bound for Affine Counter Sys- 
tems 



Schnoebelen (2010) shows that reset Petri nets (and thus affine counter systems) 
can simulate Minsky machines with counters bounded by F^{x) for some finite 
k and x. Thus we can encode a F u (p(n)) space-bounded Turing machine for 
some polynomial p using a 2 F "( p ("))-bounded Minsky machine. Since 



2 f M ) = 2 F p( „ )( p(n)) < ^( Fp(n)(Kn)) ) < F* (n)+2 (p(n)) < F p(n)+3 ( P (n) 



1 



we can simulate this Minsky machine with a polynomial-sized reset Petri net, 
and we get: 

Proposition 18. Trace boundedness of reset Petri nets is not primitive-recursive, 
more precisely it is hard for F u . 

Proof sketch. The construction is almost exactly the same as for the proof of 



Schnoebelen (2010 1 's Theorem 7.1 of hardness of termination. One simply has to 



replace extended instructions using reset transitions as explained in |Schnoebelen 



(2010)'s Section 6, and to replace the single outgoing transition on l u by two 



different transitions, therefore yielding an unbounded trace set. 



□ 



5.1.3 Non-Multiply Recursive Lower Bound for Lossy Channel Sys- 
tems 



Chambart and Schnoebelen (2008) show that LCS can weakly compute any 



multiply-recursive function, and manage to simulate perfect channel systems 
(i.e. Turing machines) of size bounded by such functions, thereby obtaining a 
non multiply-recursive lower bound for LCS reachability. We prove that the 
same bound holds for boundedness. 

Proposition 19. Trace boundedness of functional lossy channel systems is not 
multiply-recursive, more precisely it is hard for F u u . 
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Proof. Chambart and Schnoebelen (2008) show that it is possible to perfectly 



simulate a Turing machine M. with input x and k = p{\x\) for p a polynomial 
function, that works in space bounded by F LJ ^(k) = F UJ k{k), with an LCS Cm 
of size polynomial in k and \A4\, such that a state qf of Cm is reachable if 
and only if Ai halts. Furthermore, the number of distinct configurations n c — 
\Q\ ■ \Al\ F ^ k ^ of Cm can also be weakly computed in unary with an LCS of 
polynomial size, Q being the set of states of Cm and M its message alphabet. 
Combining those two systems, we construct C' M that 

1. first weakly computes n c (in a separate channel with a unary alphabet), 
and then 

2. executes Cm while decrementing n c at each transition step, 

'a <b 

3. is able to loop on two added transitions qj — > qj and qf —><?/, which do 
not decrement n c , giving rise to an unbounded trace. 

In a nutshell, all the runs of C' M that do not visit qf are terminating, being 
of length bounded by n c . Consequently, C' M is unbounded if and only if qf is 
reachable, if and only if it was also reachable in Cmi if an d only if M. halts. 

We conclude the proof by remarking that both the weak computation of 
n c and the perfect simulation of M keep working with the functional lossy 
semantics. □ 

5.1.4 Non-Primitive Recursive Size of a Bounded Expression for 
Petri Nets 

We derive a non primitive recursive lower bound on the computation of the 
words W\, . . . ,w n , already in the case of Petri nets. Indeed, the size of a cov- 
ering tree can be non primitive recursive compared to the size of the Petri net 



(Cardoza et al. 1976| who attribute the idea to Hack). Using the same insight, 



we demonstrate that the words w\ , . . . , w n themselves can be of non primitive 
recursive size. This complexity is thus inherent to the computation of the w^s. 

Proposition 20. There exists a free labeled Petri net M with a bounded trace 
setT(Af) but such that for any words w\, ... ,w n , ifT(Af)Qwl---w^, then the 
size ~Y^i— i \ w i\ i s n °t primitive recursive in the size of J\f '. 

Proof. We consider for this proof a Petri net that weakly computes a non primi- 



tive recursive function A : N — > N. The particular example displayed in Figure 9 



is taken from a survey by |Jantzen ( 19871, where A is defined for all m and n by 



A{n)=A' n {2) ,4' (n) = 2n+l 

A' m+ M = 1 4ti(n + 1) = 4(4+iW) • 

The marked Petri net Af for A(n) is of linear size in n and its trace set L is 
finite, and therefore bounded, but contains words of non primitive recursive 
length compared to n. 

Although it might seem intuitively clear that we need a collection of words 
Wi, . . . , w n of non primitive recursive size in order to capture this trace set, the 
proof is slightly more involved. Observe for instance that the finite trace set 
{a p } where p is an arbitrary number is included in the bounded expression a* 
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m+1 



m+1 



Figure 9: A Petri net that weakly computes A' m (Jantzen 1987) 



of size \a\ = 1. Thus there is no general upper bound to the ratio between the 
size J2wel \ w \ °f a nn ite trace set L and the size of the minimal collection of 
words that proves that L is bounded. 

Let us consider the maximal run in the Petri net for A(n). We focus on the 
two black transitions labeled a and b in | Figure 9\ and more precisely on the 
suffix of the run where we compute A' n (2) = Ai(p) with 

P = A' 2 (Ai i (...(A' n (l)-l)...)-l). 

This computation takes place in the subnet for A' and A\ solely, and this suffix 
is of form v = ab k °ab kl ■ ■ ■ ab kp with k — 1, k i+ i = 2fcj + 1, and k p — A[(p) = 
A' n {2). By Lemma 13 any bounded expression such that v E w* ■ ■ ■ has size 

E"=i Kl >P- 

We conclude by noting (1) that p is already the image of n by a non primitive 
recursive function, and (2) that v is the suffix of the projection u of a word 
in T(Af) on the alphabet {a, b}: hence, if a bounded expression of primitive 
recursive size with T(7V) C wl ■ ■ ■ w* existed, then the projections u>- of the Wi 



on {a, b} would be such that |w4| < \wi\ and u £ w' 1 ■ 



• w 



and would yield 
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an expression of primitive recursive size for v. 



□ 



In the case of Petri nets we are in a situation comparable to that of context- 
free languages: boundedness is decidable with a sensibly smaller complexity 
than the complexity of the size of the corresponding bounded expression (see 



Gawrychowski et al. (2010) for a PTime algorithm for deciding boundedness 



of a context-free grammar, and |Habermehl and Mayr| for an example of an 
expression exponentially larger than the grammar). 



5.2 Upper Bounds 

We provide another recipe for proving upper bounds for trace-boundedness in 
cd-WSTS, relying on existing miniaturization results on wqo, which prove upper 
bounds on the length of controlled bad sequences: 



Controlled Good and Bad Sequences Let (S, <) be a quasi order. A 
sequence Sq ■ ■ ■ s n in S* is r-good if there exist < io < i± < • • • < i r < n with 
Sj. < s ij+i f° r a ^ < j < r, and is r-bad otherwise. In the case r = 1, we 
say more simply that the sequence is good (resp. bad). The wqo condition thus 
ensures that any infinite sequence is good. 

Given two functions p : S — > N and g : N — > N, g monotone s.t. g(x) > x 
for all x, and t in N, a sequence Sq - ■ ■ s n is controlled by (p,g,t) if, for each i, 

P(*i) < »'(*)• 

A cd-WSTS (S,s ,Y,,->,<) is controlled by (p,g,t) if 
1- p(so) < t, 

2. for any single step s A s' , p(s') < g(p(s)), and 

3. for any accelerated step s — » s', p(s') < g^(p(s)). 

Using these notions, and by a careful analysis of the proof of Proposition [5] 
we exhibit in Section 5.2. l| a witness of unboundedness under the form of a good 



(p, g , t)-controlled sequence sq ■ ■ ■ s n of S* in a (p, g, ^-controlled WSTS. There 
is therefore a longest bad prefix to this witness, which is still controlled. 

The particular way of generating this sequence yields an algorithm, since as a 
consequence of the wqo, the depth of exploration in the search for this witness of 
unboundedness is finite, and we can therefore replace the two semi-algorithms 
of |Section~3| by a single algorithm that performs an exhaustive search up to 
this depth. Furthermore, when upper bounds on the maximal length of bad 
controlled sequences (aka miniaturizations) are known, we can derive explicit 
upper bounds on this depth; this is how the upper bounds of |TableT] are obtained 



(see Section 5.2.2 and Section 5.2.3) 



5.2.1 Extracting a Controlled Good Sequence 

Let us assume we are given an unbounded (p, g, i)-controlled cd-WSTS S, and 
let us consider the three infinite sequences defined in the proof of Lemma [TT] 
namely (i^, Ui)i>o of pairs of words in S* x E + , (Lj)i>o of unbounded languages, 
and (sj)i>o of states starting with the initial state sq. By construction, (si)j>o 
is good; however, this sequence is not controlled by a "reasonable" function in 
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terms of g, because we use the wqo argument at each step (when we employ 



Lemma 10 to construct Sj+j from Si), hence the motivation for refining this first 
sequence. A solution is to also consider some of the intermediate configurations 
along the transition sequence Vi+xUi+i starting in Sj, so that the index of each 
state in the new sequence better reflects how the state was obtained. 

Lemma 21. Let S = (S', s , £, — >, <) be a (p, g,t)- controlled cd-WSTS. Then 
we can construct a specific (p, g 2 , t)- controlled sequence which is good if and only 
if S is trace unbounded. 

Proof. As in the proof of Lemma [Tl] we construct inductively on i the following 
three infinite sequences (vi, u^^q, (Li)i>o starting with Lq = T(S), and (sj)i>o 
starting with the initial state sq of <S, such that 



Vi + i,Ui + i are chosen using Lemma 10 such that 

1. v l+ iuf +1 is in T acc (S{si)), 

2. v l+ iu l+1 is in Pref(-Lj), 

3. > \ui\ if i > (and thus > as in the proof of 



Lemma 11), 



4. Ui + i(v i+ 1 1 Li) is unbounded, and 

5. there does not exist two successive strict prefixes p,p f of Wi+iu^+i 
such that \p\ > \ui\ and A s^ s'( with < s", i.e. is 



the shortest choice for Lemma 10 and (1-4) above 



v i+1 u i+1 

• St » s i+1 ; 

• L l+ i = m+iiv^Li). 

We define another sequence of states {si,j)i>o,jeJi s « P ' ,:l > Sij with pij the 
prefix of length j of v i+ iu i+ i, where 

Jo = {0, ... , |ui«i| - 1} and 

Ji = {\ui\, |u i+ iUi+i| - 1} for i > 0. 

Because |ttj| > for each i > 0, none of the (sj)j>o appears in the sequence 
(si,j)i>o,jeJi- Note that condition (5) on the choice of Vi + iUi + \ ensures that, 
for each i > 0, each factor (sij)jej i is a bad sequence. 

This infinite sequence of states (sij)i>o,jeJi can ^ e constructed whenever 
we are given an unbounded cd-WSTS, and is necessarily good due to the wqo. 
Our aim will be later to bound the length of its longest bad prefix. In order to 
do so, we need to control this sequence: 

Claim 21.1. The sequence {si,j)i>o,je.Ji 1S controlled by (p,g 2 ,t). 

Proof. Since iS is (p, g, £)-controlled, we can control the accelerated transition 
sequence that led to a given Sjj: first reach Sj, and then apply j single step 
transitions. Formally, put for all z > 



k = 0, ki+i 



2G 



where |i>i+i| accounts for the single steps and |Mi-fi| for the accelerated step in 
Si » Sj+i; then we have for all i > and j G J,; 

p(s itj )<g k *+j(t). 

We need to relate this weight with the index of each Sij in the {sij)i>o,jeJi 
sequence. We define accordingly for all i > and j € 

^0, min Jo ^' ^J + l ^' ^i+l,min Jj+i ^i.min Ji "T" \ • 

In order to prove our claim, namely that 

we show by induction on ordered lexicographically that 

k% + j ' < 2 • j . 

The base case for i — and j = min J = is immediate, since fcj + j = = 
2 • 4),o- For the induction step on j, ki + j + 1 < 2 • + 1 < 2 • (ij+i, and for 
the induction step on i, 

k i+1 + min J i+1 = k l+1 + \u i+1 \ (by def. of J i+1 ) 

= fc, + 2|w i+ i| + (by def. of k l+1 ) 
= h + \ui\ + 2\u l+ i\ + \v i+ i\ - \m\ 

= k 2 + min J, +2|u l+ i| + - \ui\ (by def. of J*) 

< 2 • £i, mi „j, + 2|u i+1 | + - | ti» | (by ind. hyp.) 

< 2-£i,minJi +2|tt i+1 | +2|u i+ i| -2\ui\ (since > |ttj|) 
= 2 • ^ + i,min ■ (by def. of 4fi,min j i+1 ) 

Thus by monotonicity of g, 

p{s l , J )<g k ^{t)<g 2 ^{t). □ 

We also need to show that such a good sequence is a witness for unbound- 
edness, which we obtain thanks to Lemma [7] and the following claim: 

Claim 21.2. If the sequence (si,j)i>o,je j t is good, then S has an increasing fork. 

Proof. Let Sij and s^ j< be two elements of the sequence witnessing goodness, 
such that Sij occurs before sy^i and Sij < Si/j>. Due to the constraints put 
on the choices of Vi+\ and ttj+i for each i, we know that i < i'. Similarly to 
the proof of Lemma there exists a longest common prefix x in S* and two 
symbols a ^ b in X such that Vi^Ui+i = xaz and Uj+i = xfey for some y and z 
in E* . Let us further call p[ j the suffix of Wi+iu^+i such that Vi + iUi + i = Pijp'i j , 
hence such that we get a fork by selecting s, s a , and Sb such that 

Pi azu^-'-v^u^ps j, Pi j u t+i x byx 
Sij » S S » Si'ji » S a S > Sf, . 

Note that because |x| < |t*i+i| and i < i' , svji is necessarily met after s and 
the construction is correct. See also |Figure 10] □ 
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Figure 10: The construction of an increasing fork in the proof of Claim [2L2) 



This concludes the proof of the lemma: S is trace unbounded if and only if 

( s i,j)i>o,j£Ji is good. □ 

In the following, we essentially bound the complexity of trace boundedness 
using bounds on the length of the (si,j)i>o,jeJi sequence. This is correct modulo 
a few assumptions on the concrete systems we consider, and because the fast 
growing upper bounds we obtain dwarfen any additional complexity sources. 
For instance, a natural assumption would be for the size of representation of an 
element s of S to be less than p(s), but actually any primitive-recursive function 
of p(s) would still yield the same upper bounds! 



5.2.2 F u Upper Bound for Afflne Counter Systems 

We match the F u lower bound of Proposition [18] for afhne counter systems, 
thus establishing that boundedness is F w -complete. We employ the machinery 
of Claims 21.1 and 21.2 and proceed by showing that 

1. complete affine counter systems are controlled, and that 

2. one can provide an upper bound on the length of bad sequences in (N tfcl 

M) fc - 



Controlling Complete Affine Counter Systems Recall that an affine 
counter system (ACS) (L,X ) is a finite set L of affine transition functions 
of form f(X) = AX + b, with A a matrix in N fcxfc and b a vector in Z fe , along 
with an initial configuration Xq in N k . A transition / is Arable in configuration 
X of N fe if f(X) > 0, and leads to a new configuration f{X). 

Define the weight p(X) of a configuration in (Nttl{cL>}) fc as the maximal value 
max({0} U {X[j] ^ u> | 1 < j < k}). Also set mi as the maximal coefficient 

mi = max j4[z, jl 

f(X)=AX+bEL,l<i,j<k 

and 77i 2 as the maximal constant 

77i2 = max b[i] . 

f(X)=AX+b£L,l<i<k 

In case of a single step transition using some function / in L, one has 

p(f(X))<k -777! -p(X) + 7772, 

while in case of an accelerated transition sequence, one has the following: 
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Claim 22.1. Let u = f n o • • • o/j be a transition sequence in L + with u(X) > X. 
Then p(u u (X)) < (k ■ m 1 ) n - k ■ (p(X) + n-k- m 2 ). 

Proof. We first proceed by proving that k iterations of u are enough in order to 
compute the finite values in u u (X). 

Let us set u(X) = AX + b, d n = u n+1 (X) - u n (X), and d a = d. Since 
u(X) > X, for any coordinate 1 < j < k, the limit lim„^ w u n (X)[j] exists, and 
is finite if and only if there exists m such that for all n > m, d n [j] = 0. As 
d n+1 =u n+2 (X)-u n+1 (X) = A-u n+1 (X) + b-(A-u n {X) + b) = A-(u n+1 (X)- 
u n (X)) = A ■ d n , wc have d n = A n ■ d. 

If we consider A as the adjacency matrix of a weighted graph with k vertices, 
its A n [i, j] entry is the sum of the weights of all the paths ip = tpo Vi " " " V'n of 
length n through the matrix, which start from tp = i and end in i/j n = j, i.e. 

A n ihj}= e n a i^,a+i] 

tl>e{i}x[l,k]"- 1 x{j} ££[0,n-l] 

d n \j}= J2 [dbPol- II A bPe,ipe+i] 
i/>ex[i,fc]"x{j} \ ee[o,n-i] 

Since u(X) > X and A contains positive integers from N, d n [j] — iff 
each of the above products is null, iff there is no path of length n in the graph 
of A starting from a non-null d[i}. Therefore, if there exists n > k such that 
d n [j] > 0, then there is a path with a loop in the graph. In such a case there 
are infinitely many m such that d m [j] > 0. A contrario, if there exists m such 
that for all n > m, d n [j] — 0, then m = k is enough: if u"(A)[7'] e N, then 
u w (*)[?] =u k (X)\j]. 

Let us derive the desired upper bound on the size of u u (X): either u w (X)[j] = 
uj and the jth coordinate does not contribute to p(u LO (X)), or u w (A)[j] e N and 

(X) [j] = u k (X) [j] . Let .A ( X) = A, ■ X + h ; we have 



A = f[Ai 

i—n 

j = l \i=n / 



3 

fc-1 



i k {X) = A k -X + J2 A * - b 



/ 1 \ fe fc-l n / 1 \ £ \ 

= n4^EEn4n4^ 

\i^n / £—0 j — 1 \i— n / \i— n / 

thus 

k-i 

p(u"(x)lj])<p(A k -X) + Y,P( AJ -V 

3=0 

< (k ■ mi)"' fe • /3(A) + n ■ k ■ (k ■ mi)™' fc • m 2 

= (fc-m 1 )"- fc -(p(A) + n-fc-m 2 ) □ 
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Miniaturization 



Proposition 22. Trace boundedness for affine counter systems is in F^. 



Proof. Define the projections pi and p 2 from (N tfcl {uj}) to N and {1, w} respec- 
tively by 



Pi(«) = 

P 2 (u) = LO 



Pi (n) = n 
p 2 {n) = 1 



for n < u), and their natural extensions from (N W {w}) k to N fe and {1, uj} k . 

Consider the projection (-ST»^)i>o,ieJ 1 = (Pi( s i,i))i>o jeJi on °f the se- 
quence defined in Section 5.2.1 This sequence is (p, g, /9(X ))-controlled if 
( s i,j)i>o,j€Ji i 8 0°) 5' / 3 (^o))-controlled, and is r-good for any finite r whenever 
the trace set of the affine counter system is unbounded. 

Conversely, if the sequence (X i _j) i > j e j i is 2 fe -good for the product ordering 
< on N fc , then the system has an increasing fork. Indeed, let r = 2 k ; by definition 
of a r-good sequence, we can extract an increasing chain Xk < Xk 1 < • • • < Xk r 
from the sequence {Xi.j)i>a.ieji- Since r = 2 fc , there exist h 
P2{ski) = Vi{sk s ) 



and therefore Sk 
construct an increasing fork. 



< Sfe . and we can apply Claim 



< kj such that 
" to 



21.2 



By Claim 22.1 the sequence (-Xi,j)t>o,jeJi is (p, g, /j(Xo))-controlled by a 



primitive-recursive function g, thus eventually majorized by some Fi for some 
finite I, the length of its maximal 2 fc -bad prefix is eventually majorized by 
FF+k-i(p(Xo)) for some finite p (that depends on g, k and I) according to 



Figueira et al. (20101. This gives a bound on the length of the maximal bad 
prefix of {sij)i>o,jeJi, which is eventually majorized by F u (p(Xo))- □ 



5.2.3 F w u Upper Bound for Lossy Channel Systems 

Proposition [19] established a F^ lower bound for the boundedness problem 
in lossy channel systems. We match this lower bound, thus establishing that 
boundedness is F^ -complete. As in Section 5.2. 2[ we need two results in order 
to instantiate our recipe for upper bounds: a control on complete functional 
LCS, and a miniaturization for their sequences of states. 



Controlling Complete Functional LCS According to Abdulla et al. ( 2004 1 



LCS queue contents on an alphabet M can be represented by simple regular ex- 
pressions (SRE) over M, which are finite unions of products over M . Products, 
endowed with the language inclusion ordering, suffice for the completion of func- 



tional LCS (Finkel and Goubault-Larrecq 2009a Section 5), and thus for the 
representation of the effect of accelerated sequences in functional LCS. 
Products can be seen as finite sequences over a finite alphabet 

n M = {{a + e)\ae Al} U {A* \ A C Al} 



with |n M | = 2l* f l+|M|. 
defined as usual by ai ■ 

f : {1, ...,m} — > {l,...,n} such that, for all 1 < i < 
scattered subword ordering is compatible with language inclusion, thus we can 



We consider the scattered subword ordering ^ on ITj^, 
• • o, m if! bi • • • b n if there exists a monotone injection 



The 
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consider the subword ordering instead of language inclusion in our completed 
functional LCS0 

Claim 24.1. For all products n, tt' in LT^, tt ^ tt' implies L(tt) C L(ir'). 

Let us fix for the remainder of this section an arbitrary complete functional 
LCS C = (Q x (n M )*, (<7o, £),{!,?} x M, ->,<), where < is defined on configu- 
rations in Q x (II M )* by (q,ir) < {<f if q = q' and L(n) C L(ir r ). 

Claim 24.2. Functional LCS are controlled by (p, g, 0) with p(q,n) = \tt\ and 
ff(ac) = 2 a; + 2 +at. 



Proof. The claim follows from the results of Abdulla et al. ( 2004 ) on SREs. Let 
the current configuration be s — (q, tt). 

In the case of a single transition step s s' , a product grows by at most 
one atomic expression (a + e) (Abdulla et al. 2004 Lemma 6.1). 

In the case of an accelerated transition step s —fr s' on a sequence u, since 
s A s" with s < s", we are in one of the first three subcases of the proof of 



Lemma 6.4 of Abdulla et al. (j2004|): the first two subcases yield the addition of 

IW+ 2 atomic 
□ 



an atomic expression A*, while the third subcase adds at most |u| 
expressions of form (a + e). 



Miniaturization 



the least N such that any ( 
elements in (E*,X) is r-good 



Cichon and Tahhan Bittar ( 1998 ) give an upper bound on 

N of 



, g, t)-controlled sequence a with \a\ 



Fact 23 (iCichon and Tahhan Bittarl 11998b . Let g be a primitive-recursive unary 
function, [E] = p, and t in N. Then there exists a primitive-recursive function 
f such that, if a is a (| ■ |, g,t)- controlled r-bad sequence o/(E*,^), then \o~\ < 
(max(i, r)). 

Proposition 24. Trace boundedness for functional LCS is in F u <* . 

Proof. We consider the sequence of products {^i,j)i>o,j^Ji extracted from the 



sequence of configurations (si,j)-t>o,ieJi defined in Section 5.2.1 This sequence 
of configurations is r-good for any finite r whenever the trace set of the LCS is 
unbounded. Conversely, if the sequence (^i,j)i>o,jeJi is (\Q\ + l)-good for the 
subword ordering ^, then C has an increasing fork. Indeed, let r = \Q\ + 1; by 
definition of an r-good sequence, we can extract an increasing chain irk ^ tt^ ^ 
• • • d 7Tfe r °f length |Q| + 1 from the sequence (^i,j)i>o,j€Ji- By Claim 24.1 this 
implies L(-Kk ) C £(717^) C • • • C L(Ttk r ). Since r = \Q\, there exist fcj < kj such 
that Sk f = (g,7Tfc ,) and Sfc^. = {q,n kj ) for some q in Q. Thus Sfc 4 < s^, and we 
can apply Claim [21. 2| to construct an increasing fork. 

As the sequence (^i,j)i>o,jeJi 1S (I ' | , ff, 0)-controlled by a primitive-recursive 
function according to Claim 



24.2 



the length of the sequence (si,j)i>o,je Ji need 
not exceed F u fun M \) (\Q\) by Fact 23 thus the upper bound of is multiply- 
recursive, and we obtain the desired F u u upper bound. 



□ 



^^We could first define a partial ordering < on IIm such that (a + e) < A* whenever a £ A, 
and A* < B* whenever A C B. The corresponding subword ordering (using < in its 

definition) would be equivalent to language inclusion, and result in shorter bad sequences. 
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6 Verifying Bounded WSTS 



As already mentioned in the introduction, liveness is generally undecidable for 
cd-WSTS. We show in this section that it becomes decidable for trace bounded 
systems obtained as the product of a cd-WSTS S with a deterministic Rabin 
automaton: we prove that it is decidable whether the language of w-words of 
such a system is empty (Section 6.2) and apply it to the LTL model checking 
problem (Section 6.3). We conclude the section with a short survey on decid- 
ability issues when model checking WSTS (Section 6.4); but first we emphasize 
again the interest of boundedness for forward analysis techniques. 



6.1 Forward Analysis 



Recall from the introduction that a forward analysis of the set of reachable states 



in an infinite LTS typically relies on acceleration techniques (see e.g. Bardin 
et al.| |2005 ) applied to loops w in S* , provided one can effectively compute 
the effect of w*. Computing the full reachability set (resp. coverability set for 
cd-WSTS) using a sequence w*---w* requires post* flattability (resp. cover 



flattability) ; however, as seen with Proposition 16 (resp. Finkel and Goubault-| 



Larrecq 2009b Proposition 6), both these properties are already undecidable 
for cd-WSTS. 

Trace bounded systems answer this issue since we can compute an appro- 
priate finite sequence wi, w n and use it as acceleration sequence. Thus 
forward analysis techniques become complete for bounded systems. The Pres- 



burger accelerable counter systems of Demri et al. (2011 1 are an example where, 
thanks to an appropriate representation for reachable states, the full reachabil- 
ity set is computable in the bounded case. In a more WSTS-centric setting, 



the forward Clover procedure of Finkel and Goubault-Larrecq for oo-effective 



cd-WSTS terminates in the cover flattable case (Finkel and Goubault-Larrecq 
2009b[ Theorem 3), thus: 



Corollary 25. Let S be a trace bounded oo-effective cd-WSTS. Then a finite 
representation of Covers (so) can effectively be computed. 

Using the Cover set, one can answer state boundedness questions for WSTS. 
Furthermore, Cover sets and reachability sets coincide for lossy systems, and 
lossy channel systems in particular. 



6.2 Deciding ^-Language Emptiness 

a>Regular Languages Let us recall the Rabin acceptance condition for uj- 
words (indeed, our restriction to deterministic systems demands a stronger con- 
dition than the Biichi one). Let us set some notation for infinite words in a la- 
beled transition system S = (S,sq,Ti, — >) . A sequence of states a in S" is an infi- 
nite execution for the infinite word a^ai ■ ■ ■ in if a = sqSi ■ ■ ■ with Sj — h Sj_|_i 
for all i. We denote by T U (S) the set of infinite words that have an execution. 
The infinity set of an infinite sequence a — sqSi ■ ■ ■ in S 1 " is the set of symbols 
that appear infinitely often in a: inf(cr) = {s € S \ \{i € N | Sj = s}\ = oj}. 

Let S = (S, s , S, <) be a deterministic WSTS and A = (Q,q ,Y,,6) a 
DEA. A Rabin acceptance condition is a finite set of pairs (Ei,Fi)i of finite 
subsets of Q. An infinite word w in S w is accepted by S x A if its infinite 
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execution a over (SxQ) u verifies Vj(inf(o-)n(S'xF i ) = 0Ainf(cr)n(SxF t ) ^ 0). 
The set of accepted infinite words is denoted by L U (S x A, (Ei, Fiji). Thus an 
infinite run is accepting if, for some i, it goes only finitely often through the 
states of Ei, but infinitely often through the states of Fj. 



Deciding Emptiness We reduce the emptiness problem for L UJ (SxA, (Ei, Fj)j) 
to the boundedness problem for a finite set of cd-WSTS, which is decidable by 
Theorem [2] Remark that the following does not hold for nondeterministic sys- 
tems, since any system can be turned into a bounded one by simply relabeling 
every transition with a single letter a. 

Theorem 26. Let S be an oo-effective cd-WSTS, A a DFA, and (Fj,Fj)j a 
Rabin condition. If S x A is trace bounded, then it is decidable whether L U1 (S x 
A, (Ei,Fi)i) is empty. 

Proof. Set S = (S, s Q , S, <) and A = (Q, q , S, S). 

We first construct one cd-WSTS S^i for each condition (Ei,Fi) by adding 
to £ a fresh symbol to S x Q the pairs (s,qi) where s is in S and qi is a 
fresh state for each q in Ei, and replace in — > each transition (s, q) A- (s', q') of 
5x^1 with q in Ei by two transitions (s, q) (s, qi) A- (s', q'). Thus we meet 
in Si an marker each time we visit some state in Ei. 

Claim 26.1. Each S^i is a bounded cd-WSTS. 

Proof of Claim \26.1\ Observe that any trace of Si : \ is the image of a trace 
of S x A by a generalized sequential machine (GSM) 7j = (Q, Qo, S, S, S, 7) 
constructed from .A = (Q, go, S, £) with the same set of states and the same 
transitions, and by setting the output function 7 from Q x S to E* to be 

(q, a) i-> e^a if g G 

(g, a) 1— > a otherwise. 



Since bounded languages are closed under GSM mappings ( Ginsburg and Spanier 



1964 Corollary on p. 348) and S x A is bounded, we know that Si y i is bounded. 

□ 

fi 

In a second phase, we add a new symbol fi and the elementary loops (s, q) — ^ 
(s, 5) for each (s, g) in S 1 x Fi to obtain a system <S^2- Any run that visits some 
state in Fi has therefore the opportunity to loop on /*. 

In S x A, visiting Fi infinitely often implies that we can find two configura- 
tions (s, q) < (s', q) with q in Fj. In <Si,2, we can thus recognize any sequence in 
{fi,w}*, where (s,q) A (s',q), from (s',q): <Sj,2 is not bounded. 

Claim 26.2. Each 5^2 is a cd-WSTS, and is unbounded iff there exists a run a 
in S x A with inf(cr) n (S x Fi) 7^ 0. 



Proof of Claim 26.2 If there exists a run a in 5 x „4 with inf (er) n (5 x Fj) 7^ 0, 
then we can consider the infinite sequence of visited states in S x Fj along a. 
Since < is a well quasi ordering on S x Q, there exist two steps (s, q) and later 
(s', q') in this sequence with (s, q) < (s' , q'). Observe that the same execution a, 
modulo the transitions introduced in <Sj,i, is also possible in Si y 2- Denote by w 
in S* the sequence of transitions between these two steps, i.e. (s,q) -A (s',q'). 
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By monotonicity of the transition relation of 5^2, we can recognize any sequence 
in {/j, w}* from (q 1 , s'). Thus 5^2 is not bounded. 



Conversely, suppose that Sip is not bounded. By Lemma 11 it has an 



increasing fork with (s ,q a ) (s,q) (s a> ?) an d (s,g) -A (s&,g), s Q > s, 
s b >s,a^b in SWfej./j}, u, u> in (£ l+J {e 4 , /J) <w2 , and u in (£ W {e*, /;})*. 

Observe that if /j only appears in the initial segment labeled by w, then a 
similar fork could be found in Si.i, since (s,q) would also be accessible. Thus, 
by Lemma[7J Si.i would not be bounded. Therefore fi appears in au or bv, and 
thus the corresponding runs for au or bv visit some state in Fi. But then, by 
monotonicity, we can construct a run that visits a state in Fi infinitely often. □ 

In the last, third step, we construct the synchronous product 5^3 = Sip xAi, 
where A is a DFA for the language (£t±l{ej})*/i(£l±J{/i})* (where W denotes a 
disjoint union). This ensures that any run of <S^3 that goes through at least one 
fi cannot go through any longer, hence it visits the states in Ei only finitely 
many often. Since a run can always choose not to go through a fi loop, the 
previous claim still holds. Therefore each 6^ 3 is a cd-WSTS, is unbounded iff 
there exists a run a in S x A with inf (a) fl (5 x£,) =0 and inf (a) fl (5 X Fi) 7^ 0, 
and we can apply Theorem [2j □ 

6.3 Model Checking LTL Formulae 



By standard automata-theoretic arguments (Vardi and Wolper 1986 Safra 



1988), one can convert any linear-time temporal logic (LTL) formula tp over 
a finite set AP of atomic propositions, representing transition predicates, into 
a deterministic Rabin automaton A^ v that recognizes exactly the runs over 
S = 2 AP that model -i(p. The synchronized product of A^ v with a complete, 
deterministic, oo-effective, and trace bounded WSTS S is again trace bounded, 



and such that L^S x A, (E^F^i) = T U (S) n L U (A, (E t , Fi)i). Theorem |26 
entails that we can decide whether this language is empty, and whether all the 
infinite traces of S verify (p, noted S (= tp. This reduction also works for LTL 
extensions that remain w-regular. 

Corollary 27. Let S = (S, s 0) 2 AP , -)•, <) be an oo-effective trace bounded cd- 
WSTS, and ip a LTL formula on the set AP of atomic propositions. It is decid- 
able whether S \= (p. 



An alternative application of Theorem 26 is, rather than relying on the 



boundedness of S, to ensure that A-, v is bounded. To this end, the follow- 



ing slight adaptation of the flat counter logic of Comon and Cortier (2000) is 
appropriate: 

Definition 28. A LTL formula on a set AP of atomic propositions is co-flat 
if it is of form —up, where ip follows the abstract syntax, where a stands for a 
letter in 2 AP : 

tp ::= ip A (p I <p> V ip I Xip \ a\Jip \ Ga (flat formulae) 

a ::= /\ p A f\ ~^p . (alphabetic formula?) 
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In a conjunction ip A ip' ', one of 93 or could actually be an arbitrary LTL 
formula. 

One can easily check that flat formulae define languages of infinite words 
with bounded sets of finite prefixes, and we obtain: 

Corollary 29. Let S = (S, s , 2 AP , <) be an oo-effective cd-WSTS, and ip 
a co-flat LTL formula on the set AP of atomic propositions. It is decidable 
whether S \= tp. 



Extensions of Corollary 29 to less restrictive LTL fragments are possible, but 
lead to rather unnatural conditions on the shape of formulas. 



6.4 Beyond cu-Regular Properties 

We survey in this section some results from the model checking literature and 
their consequences for several classes of bounded WSTS. Outside the realm of 
w-regular properties, we find essentially two kinds of properties: state-based 



properties or branching properties, or indeed a blend of the two (Demri et al 



2011 Baieretal. 2006 Goubault-Larrecq 2007). 



Affine Counter Systems Not all properties are decidable for bounded cd- 
WSTS, as seen with the following theorem on affine counter systems. Since these 
systems are otherwise completable, deterministic, and oo-effective, action-based 
properties are decidable for them using Theorem |26| but we infer that state- 
based properties are undecidable for bounded oo-effective cd-WSTS. 



Theorem 30 (Cortier 2002). Reachability is undecidable for trace bounded 
affine counter systems. 

Affine counter systems are thus the only class of systems (besides Minsky 



counter machines) in Figure 2 for which boundedness does not yield a decidable 
reachability problem. 



Presburger Accelerable Counter Systems Demri et al. (2011) study the 



class of bounded counter systems for which accelerations can be expressed 
as Presburger relations^ Well-structured oo-effective Presburger accelerable 
counter systems include bounded reset/transfer Petri nets and broadcast proto- 
cols, and Theorem |26| shows that w-regular properties are decidable for them. 

By the results of |Demri et al.[ not only is the full reachability set computable 
for these systems, but furthermore an extension of state-based CTL* model 
checking with Presburger quantification on the paths is also decidable. 



Guarded Properties Let us recall that state-based LTL model checking is 



already undecidable for Petri nets (Esparza 19971. However, state-based prop- 



erties become decidable for WSTS if they only allow to reason about upward- 



closed sets. This insight is applied by Baier et al. (2006), who define an upward 



and downward guarded fragment of state-based /z-calculus and prove its decid- 



ability for all WSTS. Goubault-Larrecq (2007) presents a generalization to open 



2 Whether boundedness is decidable for deterministic Presburger accelerable counter sys- 
tems (i.e. not necessarily well-structured) is not currently known, while Proposition |15| answers 
negatively in the nondeterministic well-structured case. 
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sets in well topological spaces. Extensions of Theorem [26] along these lines could 
be investigated. 



7 On Unbounded WSTS 

As many systems display some commutative behavior, and on that account fail 



to be bounded, Bardin et al. (2005 Section 5.2) introduce reductions in order 
to enumerate the possible bounded expressions more efficiently, e.g. removal of 
identity loops, of useless conjugated sequences of transitions, and of commuting 
sequences. Such reductions are systematically looked for, up to some fixed 
length of the considered sequences. 

Increasing forks suggest a different angle on this issue: whenever we identify 
a source of unboundedness, we could try to check whether the involved sequences 
commute, normalize our system, and restart the procedure on the new system, 
which is trace-equivalent modulo the spotted commutation. Considering again 
the example Petri net of |Figure 3[ the two sequences c and d responsible for an 
increasing fork do commute. If we were to force any sequence of transitions in 
{c, d}* to be in the set (cd)*(c* Ud*), then 

• the set of reachable states would remain the same, but 

• the normalized trace set would be 

a* U |J a n b(cd) m (c^ n ~ 2m U d^ n -' 2m ) , 

0<2m<n 

which is bounded. 

Provided the properties to be tested do not depend on the relative order of c 



and d, we would now be able to apply Theorem 26 



We formalize this idea in |Scction 7.3| using a partial commutation relation 



(see Section 7.1 for background on partial commutations), and illustrate its 



interest for a bounded-session version of the Alternating Bit Protocol (see Sec- 



tion 7.2 for background on this protocol). 



7.1 Partial Commutations 

Let E be a finite alphabet; a dependence relation D C E x E is a reflexive and 
symmetric relation on E. Its complement / = E x E\_D is an independence 
relation. On words in E* , an independence relation can be interpreted as a 

generated by repeated applications of ab -H-j ba for 
j, where w -H-j w' if and only if there exist u and v in 
uabv and w' = ubav. We work on infinite words 



congruence ~j 



C E* x E 
some (a, 6) in /: ~j = 
E* and (a, b) in / with w 



modulo the partial commutations described by /. 



Closure The limit extension 



et al. 


1995 


Peled et al. 


1998 



4 im C E^ 



E w of the congruence ~/ ( Diekert 



1998 ) is defined by a 



lim 



iff. 



for every finite prefix u of er, there is a finite prefix v! of a' and a finite 
word v of E* such that uv ~j yf , and 



36 




Figure 11: The transfer Petri net N' of the proof of Proposition 33 



• symmetrically, for every finite prefix u' of cr', there is a finite prefix u of 



a and a finite word v' of E* such that u'v' 



u. 



(ab)" 
(e.g. 



Consider for instance the relation / = {(a, b), (b, a)}; then (aab) u ^) lm 
(e.g. (aab) n b n ~j {ab) 2n and (ab) n a n ~j (aa6) n ), but (aa&)" ^) im 
(aab) n v // a m for all n > 0, to > 0, and v in E*). 

A language L C E* (resp. L C E") is I-closed, if for any cr in L, and 
for every cr' with cr ~j cr' (resp. a ^] lm cr'), cr' is also in L. The closure of 
an w-regular language for a given partial commutation is decidable, and more 
precisely PSPACE-complete if the language is given as a Biichi automaton or an 



LTL formula (Peled et al. 1998). 



Definition 31. An LTS is I -diamond if, for any pair (a, b) of /, and for any 



■ Q b ■ ba 

states s m dom — > n dom — > 



and s' in S, s s' iff s — % s' 



We have the following sufficient condition for the closure of T U (S), which is 
decidable for /-diamond WSTS: just compare the elements in the finite bases 



c ■ ab i i ba 

tor dom — > and dom — 



Lemma 32. Let I be an independence relation and S an LTS, both on E. If S 
is I -diamond and, for all (a, 6) of I, dom — 



= dom — %, thenT LJ (S) is I-closed. 

Proof. One can easily check that this condition implies that the set of finite 
traces T(S) is /-closed. 

Let now cr be an infinite word in T W (<S), and cr' an infinite word in E" with 
cr ^j lm cr', but suppose that cr' is not in T U (S). Thus there exists a finite prefix 
u' of cr' that does not belong to T{S). By definition of ~) lm , there is however 
a prefix u of cr and a word u' of E* such that u'v' ~/ it. But this contradicts 
the closure of T(S), since u is in T(iS), but u'v' is not — or u' would be in the 
prefix-closed language T(S). □ 

However, already in the case of /-diamond WSTS and already for finite 
traces, /-closure is undecidable; a sufficient condition like Lemma [32] is the best 
we can hope for. 
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Proposition 33. Let I be an independence relation and S an I-diamond cd- 
WSTS, both on E. It is undecidable whether T(S) is I -closed or not. 

Proof. We reduce the (undecidable) reachability problem for a transfer Petri 



net Af and a marking m (Dufourd et al. |1998[ ) to the /-closure problem for a 



new transfer Petri net Af' . Let us recall that a transfer arc (p, t,p') transfers all 
the tokens from a place p to another place p' when t is fired. 

The new transfer Petri net Af' extends Af with three new places sim, sum, 



and test, and three new transitions t, a, and b (see Figure 111. Its initial 
marking is expanded so that sim originally contains one token, sum the sum 
s m a = Yl r fno (p) °f a ll the tokens in the initial marking of Af, and test no token. 
It simulates Af while a token resides in sim, and updates sum so that it contains 
at all times the sum of the tokens in all the places of Af. Transfer arcs are not an 
issue since they do not change this overall sum of tokens. Nondeterministically, 
Af' fires t, which removes m(p) in each place p of Af, one token from sim, 
s m = ^2 P m {p) tokens from sum, and places one token in test. 

Now, a token can appear in test if and only if a marking m! larger than m 
can be reached in Af' . Furthermore, the distance m'(p) — m(p) is in sum, so 
that m is reachable in Af if and only if a marking with one token in test and no 
token in sum is reachable in Af' . 

The latter condition is tested by having a remove one token from test and 
put one token in sum and one back in test, and b remove one from sum and test 
and put them back. Set / = {(a, b), (b, a)}; Af' is /-diamond. The transition 
sequence ah can be fired if and only if there if a token in test, but ba further 
requires sum not to be empty. Thus a and b do not commute if and only if m is 
reachable in Af. □ 

Foata Normal Form Let us assume an arbitrary linear ordering < on E. For 
an independence relation /, we denote by C(/) the set of cliques of /, i.e. 

C(I) = {C c s | Vo, be C, {a, b)el} . 

We further introduce a homomorphism v : 2 s — > E* by 

u({a 1 ,a 2 , ... , a k }) = aia 2 ■ ■ ■ a k if ax < a 2 < ■ ■ ■ < a k . 



An infinite word a in E" is in Foata normal form (see e.g. Gastin and Petit 



1995) if there is an infinite decomposition a = v(Cq)v(Ci) ■ ■ ■ with each Ci in 
C(/), and for each a in Cj, there exists b in Ci_i such that (a, b) is in D. As 
indicated by its name, for any word a in E w , there exists a unique word f nfj (o~) in 
Foata normal form such that a roj lm fnfj(cr). For instance fnfj((aab) u ) = (ab)^ 
for / = {(a, b), (b, a)}. 

Let us finally define the normalizing language Ni of / as the set of all infinite 
words in Foata normal form. The following lemma shows that Nj is very well 
behaved, being recognized by a deterministic Biichi automaton Bj with only 
accepting states. Thus its synchronous product with a WSTS S does not require 
the addition of an acceptance condition: T w (5 x Bi) — T U (S) n Ni. 

Lemma 34. Let I be an independence relation on E. Then Ni is a topologically 
closed io-regular language. 
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Proof. The topologically closed w-regular languages, aka "safety" languages, 
are the languages recognized by finite deterministic Biichi automata with only 
accepting states. We provide such an automaton Bj = (Q, S, qo, S, Q) such that 
L(B/) = iV z . 

SetQ = {g }U(C(/)U{S})xC(/)xS. We define S(q , a) as (£,{a},a) for all 
a in S; for all d in C(J) U {£}, C* 2 in C(J), a, b in S, we define 5({C 1 ,C 2 ,a),b) 

by 

(Ci, C 2 U {6}, b) if a < 6, 3d G C u (b, d) G D, 
and VdG C 2l (b,d) G J, 
[(C 2 ,{6},6) if 3de C 2 ,(6,d) G D . 

The automaton simultaneously checks that consecutive cliques enforce the Foata 
normal form, and that the individual letters of each clique are ordered according 
to <. □ 



7.2 The Alternating Bit Protocol 



The Alternating Bit Protocol (ABP) is one of the oldest case studies (Bochmann 



and Sunshine 1980). It remains interesting today because no complete and 
automatic procedure exists for its verification. It can be nicely modeled as a 

and the next discussion "A Quick 



2004 



lossy channel system (see Abdulla et al 
Tour"), but even in this representation, liveness properties cannot be checked. 
We believe it provides a good illustration of the kind of issues that make a 
system unbounded, which we categorize into commutativity issues, which we 
tackle through normalization, and main control loop issues, which we avoid by 
bounding the number of sessions. 



A Quick Tour If the ABP is modeled as a fifo automaton (in fact two finite 
automata communicating through two fifo queues), then all non-trivial proper- 
ties are undecidable, because fifo automata can simulate Turing machines (see 
e.g. Brand and Zafiropulo 1983). Nevertheless, several classes of fifo automata 



have been studied in the literature, often with decidable reachability problems: 

• One may observe that for any control state q of this particular fifo au- 
tomaton, the language of the two fifo queues is recognizable (as a subset 
of {q} x A* x B* where A and B are the alphabets of the queues). Pachl 



( 1982ft has shown that reachability and safety are then decidable. But this 
recognizability property itself is in general undecidable. 

One may also observe that the languages of the fifo queues contents are 



bounded (Finkel and Choquet. 1987), and then one may simulate the fifo 



automaton with a Petri net and decide reachability. Again, this subclass 
of fifo automata is not recursive. 



• Yet another way is to use loop acceleration with CQDDs as symbolic rep- 
resentations (Bouajjani and Habermehl 1999), and to observe that the 



reachability set is CQDD computable; but still without termination guar- 
antee when applied to non-flat systems. 

Neither of these techniques is fully automatic nor allows to check liveness prop- 
erties. 
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CM !1 x^uoiv^ CA , C 

Figure 12: The Alternating Bit Protocol. 

c A !l c A !l c M !0 c A f!0 



c A !l 




c A/ !l c M !l c M !l 

Figure 13: Synchronized view of the ABP. 



The most effective approach is arguably to model the ABP as a lossy channel 



system (see Figure 12); reachability and safety are then decidable, but liveness 



remains undecidable. Furthermore, a forward analysis using SREs as symbolic 
representations — as performed by a tool like TReX — , will terminate and con- 



struct a finite symbolic graph (for the verification of safety properties) ( Abdulla 
et al. 2004 ) : indeed, the ABP is cover flattable, but unfortunately this property 



is in general undecidable. 

Verification We model the ABP as two functional lossy channel systems 
(Sender and Receiver) that run in parallel, and communicate through two 
shared channels cm for messages and ca for acknowledgments. Our correctness 
property is whether each sent message (proposition snd) is eventually received 
(proposition rev): 

G(snd X(^snd U rev)) , (vabp) 

under a weak fairness assumption (every continuously firable transition is even- 
tually fired). 

The full system is displayed for its useful accessible part in |Figure 13| with 
Receiver's transitions in grey. This system is visibly not bounded, thus we 



cannot apply Theorem 26 alone 
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7.3 Bounded Modulo I 



The search for increasing forks on the ABP successively finds four witnesses 
of unboundedness in states 10, 12, 32, and 30, where at each occasion two 
competing elementary loops can be fired. Thankfully, all these loops commute, 
because they involve two different channels. Our goal is to transform our system 



in order to remove these forks, while maintaining the ability to verify <^abp 



Definition 35. A WSTS S is trace bounded modulo I an independence relation, 
if T U (S) is /-closed and the set of finite prefixes of the normalized language 
T U (S) n Nj is trace bounded. 



By Lemma 34 we can construct a cd-WSTS S' for T U (<S) n Ni, and decide 
whether it is bounded thanks to Theorem [2] Thus boundedness modulo I is 
decidable for /-closed WSTS. 

Finally, provided the language L(—itp) of the property to verify is also I- 
closed, the normalized system and the original system are equivalent when it 



comes to verifying ip. Indeed, we can generalize Theorem 26 to bounded modulo 
/ cd-WSTS and /-closed w-regular languages: 

Theorem 36. Let I be an independence relation, S be a trace bounded modulo 
I cd-WSTS, and L an I -closed oj-regular language, all three on E. Then it is 
decidable whether T U (S) H L is empty. 

Proof. By Lemma [34] we can construct a cd-WSTS S' for T U (S) n Ni, which 
will be bounded by hypothesis. Wlog., we can assume that we have a DFA 



with a Rabin acceptance condition for L, and can apply Theorem 26 to decide 
whether T U (S') D L = 0. 
It remains to prove that 

T u (S)nL = ®iST bJ (S')nL = ® . 

Obviously, if T U (S) fl L is empty, then the same holds for T U (S') H L. For the 
converse, let a be a word in T U (<S) n L. Then, since S is /-closed, fnfj(cr) also 
belongs to T U (S) and to Nj, and thus to T U (S'). And because L is /-closed, 
fnfj(o-) further belongs to L, hence to T U (S') flL. □ 

Once our system is normalized against partial commutations, the only re- 
maining source of unboundedness is the main control loop. By bounding the 
number of sessions of the protocol, i.e. by unfolding this main control loop a 
bounded number of times, we obtain a bounded system. 



This transformation would disrupt the verification of </?abp if it were not 
for the two following observations: 

1. The full set of all reachable configurations is already explored after two 
traversals of the main control loop. This is established automatically 
thanks to Corollary [25] on the 2- unfolding of the normalized ABP, which 
is a bounded cd-WSTS. Thus any possible session, with any possible reach- 
able initial configuration, can already be exhibited at the second traversal 
of the system. 



2. Our property <^abp is intra-session: it only requires to be tested against 



any possible session 
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Table 2: Some decidability results for selected classes of cd-WSTS — Petri 
nets (PN), affine counter systems (ACS), and functional lossy channel systems 
(LCS) — in the trace unbounded and trace bounded cases. 





PN 


Bounded PN 


ACS 


Bounded ACS 


LCS 


Bounded LCS 


Reachability 


Yes 


Yes 


No 


No 


Yes 


Yes 


Post* inclusion 


No 


Yes 


No 


No 


No 


Yes 


Liveness 


Yes 


Yes 


No 


Yes 


No 


Yes 



The overall approach, thanks to the concept of boundedness modulo partial 
commutations, thus succeeds in reducing the ABP to a bounded system where 
our liveness property can be verified. 



8 Boundedness is not a Weakness 



To paraphrase the title Flatness is not a Weakness (Comon and Cortier 2000), 



boundedness is a powerful property for the analysis of systems, as demonstrated 
with the termination of forward analyses and the decidability of w-regular prop- 
erties for bounded WSTS (see also Table 2 ) — and is implied by flatness. More 



examples of its interest can be found in the recent literature on the verification of 
multithreaded programs, where boundedness of the context-free synchronization 



languages yields decidable reachability (Kahlon 2009| |Ganty et al. 2010) 



Most prominently, boundedness has the considerable virtue of being decid- 
able for a large class of systems, the co-effective complete deterministic WSTS. 
There is furthermore a range of unexplored possibilities beyond partial com- 
mutations (starting with semi-commutations or contextual commutations) that 
could help turn a system into a bounded one. 
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